High severityNVD Advisory· Published Feb 4, 2026· Updated Feb 5, 2026
terraform-provider-proxmox has insecure sudo recommendation in the documentation
CVE-2026-25499
Description
Terraform / OpenTofu Provider adds support for Proxmox Virtual Environment. Prior to version 0.93.1, in the SSH configuration documentation, the sudoer line suggested is insecure and can result in escaping the folder using ../, allowing any files on the system to be edited. This issue has been patched in version 0.93.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/bpg/terraform-provider-proxmoxGo | < 0.93.1 | 0.93.1 |
Affected products
1- Range: < 0.93.1
Patches
1bd604c41a31efix(docs): prevent path traversal in sudoers tee configuration (#2524)
3 files changed · +7 −3
.dev/__pycache__/proxmox_debug_script.cpython-314.pyc+0 −0 removeddocs/index.md+5 −3 modified@@ -422,17 +422,19 @@ In the example below, we create a user `terraform` and assign the `sudo` privile ```text terraform ALL=(root) NOPASSWD: /usr/sbin/pvesm terraform ALL=(root) NOPASSWD: /usr/sbin/qm - terraform ALL=(root) NOPASSWD: /usr/bin/tee /var/lib/vz/* + terraform ALL=(root) NOPASSWD: /usr/bin/tee /var/lib/vz/snippets/[a-zA-Z0-9_][a-zA-Z0-9_.-]* ``` If you're using a different datastore for snippets, not the default `local`, you should add the datastore's mount point to the sudoers file as well, for example: - + ```text - terraform ALL=(root) NOPASSWD: /usr/bin/tee /mnt/pve/cephfs/* + terraform ALL=(root) NOPASSWD: /usr/bin/tee /mnt/pve/cephfs/snippets/[a-zA-Z0-9_][a-zA-Z0-9_.-]* ``` You can find the mount point of the datastore by running `pvesh get /storage/<name>` on the Proxmox node. + ~> **Security Warning:** Do not use wildcard patterns like `/var/lib/vz/*` in sudoers rules for `tee`. Such patterns allow path traversal attacks (e.g., `/var/lib/vz/../../../etc/sudoers.d/malicious`) that can lead to privilege escalation. Always restrict to specific subdirectories with strict filename patterns as shown above. + - Copy your SSH public key to the `~/.ssh/authorized_keys` file of the `terraform` user on the target node. - Test the SSH connection and password-less `sudo`:
.gitignore+2 −0 modified@@ -1,6 +1,8 @@ /example/terraform-provider-* /pkg/ /test/ +/tmp/ +/temp/ /website/.vagrant /website/.bundle /website/build
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-gwch-7m8v-7544ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25499ghsaADVISORY
- github.com/bpg/terraform-provider-proxmox/commit/bd604c41a31e2a55dd6acc01b0608be3ea49c023ghsax_refsource_MISCWEB
- github.com/bpg/terraform-provider-proxmox/security/advisories/GHSA-gwch-7m8v-7544ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.