Home > Vulnerability Database > CVE-2026-25499

Mend.io Vulnerability Database

CVE-2026-25499

Good to know:

Date: February 4, 2026

Terraform / OpenTofu Provider adds support for Proxmox Virtual Environment. Prior to version 0.93.1, in the SSH configuration documentation, the sudoer line suggested is insecure and can result in escaping the folder using ../, allowing any files on the system to be edited. This issue has been patched in version 0.93.1.

Severity Score

7.5

Related Resources (5)

Url: https://github.com/bpg/terraform-provider-proxmox/commit/bd604c41a31e2a55dd6acc01b0608be3ea49c023

Url: https://github.com/bpg/terraform-provider-proxmox

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-25499

Url: https://github.com/bpg/terraform-provider-proxmox/security/advisories/GHSA-gwch-7m8v-7544

Url: https://www.mend.io/vulnerability-database/CVE-2026-25499

Severity Score

7.5

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Initialization of a Resource with an Insecure Default

CWE-1188

Top Fix

Upgrade Version

Upgrade to version github.com/bpg/terraform-provider-proxmox - v0.93.1

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-25499

Good to know:

Date: February 4, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?