Critical Vulnerabilities in Terraform Providers Affecting openSUSE and Ubuntu Server

Critical Vulnerabilities in Terraform Providers Affecting openSUSE and Ubuntu Server

First seen 17 Apr 2026, 01:31 UTC Linuxsecurity 96% similarity 70.5

Article Content

Browse articles
ThreatCluster

Recent updates for terraform-provider-local, terraform-provider-random, and terraform-provider-tls address two critical vulnerabilities: CVE-2026-25934 and CVE-2026-33186. CVE-2026-25934, published on 2026-02-09, involves improper verification of data integrity for `.pack` and `.idx` files, potentially leading to the consumption of corrupted files. CVE-2026-33186, published on 2026-03-20, relates to improper validation of the HTTP/2 `:path` pseudo-header, which can result in authorization bypass. Both vulnerabilities affect openSUSE Leap 15.6 and Public Cloud Modules 15-SP4 and 15-SP5. The first public proof of concept for CVE-2026-33186 was released on 2026-04-07, raising the urgency for patching. Users are advised to apply the latest updates using SUSE's recommended installation methods. The vulnerabilities have varying CVSS scores, with CVE-2026-33186 rated as high as 9.1, indicating a significant risk. Immediate action is recommended to mitigate potential exploitation.

Key Points: • CVE-2026-25934 and CVE-2026-33186 are critical vulnerabilities in Terraform providers. • CVE-2026-33186 has a CVSS score of 9.1, indicating a high risk of exploitation. • Users of openSUSE and Ubuntu Server are urged to apply patches immediately.

ThreatCluster AI

Timeline

2026-02-09
CVE-2026-25934 published
2026-03-20
CVE-2026-33186 published
2026-04-07
First public PoC for CVE-2026-33186 released
2026-04-16
Patch updates released for affected Terraform providers

Community

Browse all →