Back

Critical Vulnerabilities in Terraform Providers Affecting openSUSE and Ubuntu Server

Severity: High (Score: 70.5)

Sources: Linuxsecurity

Summary

Recent updates for terraform-provider-local, terraform-provider-random, and terraform-provider-tls address two critical vulnerabilities: CVE-2026-25934 and CVE-2026-33186. CVE-2026-25934, published on 2026-02-09, involves improper verification of data integrity for `.pack` and `.idx` files, potentially leading to the consumption of corrupted files. CVE-2026-33186, published on 2026-03-20, relates to improper validation of the HTTP/2 `:path` pseudo-header, which can result in authorization bypass. Both vulnerabilities affect openSUSE Leap 15.6 and Public Cloud Modules 15-SP4 and 15-SP5. The first public proof of concept for CVE-2026-33186 was released on 2026-04-07, raising the urgency for patching. Users are advised to apply the latest updates using SUSE's recommended installation methods. The vulnerabilities have varying CVSS scores, with CVE-2026-33186 rated as high as 9.1, indicating a significant risk. Immediate action is recommended to mitigate potential exploitation. Key Points: • CVE-2026-25934 and CVE-2026-33186 are critical vulnerabilities in Terraform providers. • CVE-2026-33186 has a CVSS score of 9.1, indicating a high risk of exploitation. • Users of openSUSE and Ubuntu Server are urged to apply patches immediately.

Key Entities

  • CVE-2026-25934 (cve)
  • CVE-2026-33186 (cve)
  • CWE-287 - Improper Authentication (cwe)
  • google.golang.org (domain)
  • OpenSUSE (company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed