What is HCSEC-2026-09?

HCSEC-2026-09 is a security advisory published by HashiCorp Security. HCSEC-2026-09 - Remediation and Improved Secret Management for GitHub Webhook Secret Exposure

Why does HCSEC-2026-09 have no CVE ID yet?

HashiCorp Security published this advisory directly to customers before NVD assigned a CVE ID. This is the embargo-window disclosure pattern — vendors notify customers on day 0; NVD's public record follows days to weeks later.

Which products are affected by HCSEC-2026-09?

HCSEC-2026-09 affects 2 products, including: HCP Terraform; Terraform Enterprise.

HCSEC-2026-09Disclosed before NVD

HCSEC-2026-09 - Remediation and Improved Secret Management for GitHub Webhook Secret Exposure

Vendor

HashiCorp Security

Published

April 20, 2026

Last Modified

—

📋 Description

Bulletin ID: HCSEC-2026-09 Publication Date: April 20, 2026 Target Audience: All HCP Terraform and Terraform Enterprise customers using GitHub integrations for Version Control System (VCS) workflows. Executive Summary On April 15th, GitHub disclosed a security incident involving a bug in their webhook delivery platform. Between September 2025 and January 2026, GitHub inadvertently included webhook secrets in the HTTP headers of a subset of outbound webhook deliveries. Due to this upstream bug in GitHub’s infrastructure, the webhook secrets sent to receiving systems like HCP Terraform and Terraform Enterprise may have been inadvertently exposed in transit. To protect your infrastructure, HashiCorp has developed specific remediation paths based on your deployment model: HCP Terraform (SaaS): We have fully automated the rotation of all potentially affected GitHub webhook secrets. No action is required. Terraform Enterprise (Self-Hosted): If you receive a direct notification from GitHub stating that your webhooks were impacted, reach out to your HashiCorp support contact for assistance. What Happened? According to GitHub’s disclosure, a bug in a feature-flagged version of their webhook platform caused webhook secrets to be sent in a base64-encoded format within an unintended HTTP header (X-Github-Encoded-Secret). Exposure Window: September 11, 2025, to December 10, 2025, and briefly on January 5, 2026. GitHub fully patched the issue on January 26, 2026. The Risk: Webhook secrets are used to compute an HMAC signature, allowing receiving platforms to verify that a payload genuinely originated from GitHub. If exposed, an attacker could theoretically forge webhook payloads. Scope: Only the webhook secret was exposed in the header. Webhook payloads, access tokens, and other credentials were not exposed by GitHub’s bug. Remediation for HCP Terraform (SaaS) Customers Status: Complete For customers using our managed HCP Terraform platform, our engineering teams are active…

🎯 Affected products2

HCP Terraform
Terraform Enterprise

🔗 References (1)

advisoryhttps://discuss.hashicorp.com/t/hcsec-2026-09-remediation-and-improved-secret-management-for-github-webhook-secret-exposure/77357