Git credentials are exposed in atlantis logs
Description
Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens ghs_...) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Atlantis logs GitHub credentials during token rotation, enabling attackers with log access to impersonate the app and gain GitHub org admin privileges.
Vulnerability
Overview
CVE-2024-52009 describes a logging flaw in Atlantis, a self-hosted Terraform webhook listener. When GitHub credentials (tokens starting with ghs_) are rotated, Atlantis writes the token value into debug-level logs [2]. This occurs in the credential rotation logic, specifically in vcs/gh_app_creds_rotator.go and vcs/git_cred_writer.go, as confirmed by the advisory [4].
Exploitation
Scenario
An attacker does not need authentication to Atlantis itself; they only require read access to the log stream where these credentials appear. For example, in deployments where Atlantis runs as an Argo CD application, users with read-only Argo CD access can view the logs [1]. No special privileges within GitHub or Atlantis are needed beyond log visibility.
Impact
With the leaked token, an attacker can impersonate the Atlantis GitHub App, performing any action the app is authorized to do. If Atlantis manages a GitHub organization (e.g., via Terraform), the attacker can gain organization admin privileges, compromising all repositories. This can escalate to cluster admin if those repositories contain Infrastructure-as-Code for Kubernetes clusters [1][4].
Mitigation
The issue was fixed in Atlantis v0.30.0, as noted in the release changelog [3]. The fix prevents logging of GitHub tokens during rotation. There are no known workarounds; all users are advised to upgrade immediately [2][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/runatlantis/atlantisGo | < 0.30.0 | 0.30.0 |
Affected products
4- ghsa-coords2 versionspkg:golang/github.com/runatlantis/atlantispkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 0.30.0+ 1 more
- (no CPE)range: < 0.30.0
- (no CPE)range: < 0.0.20241120T172248-1.1
- runatlantis/atlantisv5Range: < 0.30.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-gppm-hq3p-h4rpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-52009ghsaADVISORY
- argo-cd.readthedocs.io/en/stable/operator-manual/securityghsax_refsource_MISCWEB
- github.com/runatlantis/atlantis/issues/4060ghsax_refsource_MISCWEB
- github.com/runatlantis/atlantis/pull/4667ghsax_refsource_MISCWEB
- github.com/runatlantis/atlantis/releases/tag/v0.30.0ghsax_refsource_MISCWEB
- github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rpghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2024-3265ghsaWEB
News mentions
0No linked articles in our index yet.