Intel

AIKIDO-2026-390452

pulumi-docker-build is vulnerable to Cleartext Storage of Sensitive Information

Cleartext Storage of Sensitive Information Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 30, 2026

35

Low Risk

This Affects:

PYTHONpulumi-docker-build
0.0.1 - 0.0.19
Fixed in 0.0.20
Are you affected? Scan for Free

TL;DR

The docker-build:index:Image resource accepts a secrets input that holds sensitive build secret values passed directly by value. The provider schema and the language SDK do not mark this input as a Pulumi secret, so the supplied values are written to the stack state and shown in diffs and stack exports in plaintext. Anyone with access to the state file or to the operation output can read the unencrypted secrets. The fix marks the secrets input as secret in the schema and wraps it through the SDK with additional secret outputs so the values are encrypted in state.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and pass values to the secrets input of the docker-build:index:Image resource.

Background info

pulumi-docker-build is vulnerable to Cleartext Storage of Sensitive Information in versions 0.0.1 - 0.0.19.

How to fix this

Upgrade the pulumi-docker-build library to the patch version.