CVE-2025-13432

MEDIUM

Terraform 1.0.0-1.0.3 - Incorrect Authorization in State Version Creation

Title source: llm

Description

Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise workspace. This may allow for the alteration of infrastructure if a subsequent plan operation is approved by a user with approval permission or auto-applied. This vulnerability, CVE-2025-13432, is fixed in Terraform Enterprise version 1.1.1 and 1.0.3.

References (1)

Core 1

Core References

Vendor Advisory

https://discuss.hashicorp.com/t/hcsec-2025-34-terraform-enterprise-state-versions-can-be-created-by-users-without-sufficient-write-access/76821

Scores

CVSS v3 4.3

EPSS 0.0003

EPSS Percentile 10.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (2)

hashicorp/terraform 1.1.0

hashicorp/terraform 1.0.0 - 1.0.3

Published Nov 21, 2025

Tracked Since Feb 18, 2026