Bulletin ID: HCSEC-2026-09
Publication Date: April 20, 2026
Target Audience: All HCP Terraform and Terraform Enterprise customers using GitHub integrations for Version Control System (VCS) workflows.
Executive Summary
On April 15th, GitHub disclosed a security incident involving a bug in their webhook delivery platform. Between September 2025 and January 2026, GitHub inadvertently included webhook secrets in the HTTP headers of a subset of outbound webhook deliveries.
Due to this upstream bug in GitHub’s infrastructure, the webhook secrets sent to receiving systems like HCP Terraform and Terraform Enterprise may have been inadvertently exposed in transit.
To protect your infrastructure, HashiCorp has developed specific remediation paths based on your deployment model:
- HCP Terraform (SaaS): We have fully automated the rotation of all potentially affected GitHub webhook secrets. No action is required.
- Terraform Enterprise (Self-Hosted): If you receive a direct notification from GitHub stating that your webhooks were impacted, reach out to your HashiCorp support contact for assistance.
What Happened?
According to GitHub’s disclosure, a bug in a feature-flagged version of their webhook platform caused webhook secrets to be sent in a base64-encoded format within an unintended HTTP header (X-Github-Encoded-Secret).
- Exposure Window: September 11, 2025, to December 10, 2025, and briefly on January 5, 2026. GitHub fully patched the issue on January 26, 2026.
- The Risk: Webhook secrets are used to compute an HMAC signature, allowing receiving platforms to verify that a payload genuinely originated from GitHub. If exposed, an attacker could theoretically forge webhook payloads.
- Scope: Only the webhook secret was exposed in the header. Webhook payloads, access tokens, and other credentials were not exposed by GitHub’s bug.
Remediation for HCP Terraform (SaaS) Customers
Status: Complete
For customers using our managed HCP Terraform platform, our engineering teams are actively developing a fully automated migration process to handle the rotation of all GitHub webhook secrets utilized by your VCS connections.
- Once deployed, our backend systems will securely communicate with GitHub to generate new secrets and update your workspace configurations without interrupting your automated workflows.
- Timeline: The automated rotation has completed.
Remediation for Terraform Enterprise (Self-Managed) Customers
Status: Support-Assisted Remediation
Because Terraform Enterprise operates within your own environment, we cannot automatically rotate these tokens for you via our backend systems.
Step 1: Contact Support (if notified by GitHub) If you received a direct notification from GitHub stating that your webhooks were impacted by this leak, please reach out to your HashiCorp support contact for assistance in resolving this issue and securely rotating your integration credentials.
Step 2: Audit Your Internal Infrastructure Logs (Actionable Now) You can proactively secure your internal network infrastructure. We strongly recommend auditing your:
- Load balancers and Ingress controllers
- Reverse proxies (e.g., NGINX, HAProxy)
- API gateways
- Logging and SIEM pipelines (e.g., Splunk, Datadog)
Search these systems for the presence of the X-Github-Encoded-Secret header between September 11, 2025, and January 26, 2026. If found, purge those logs immediately to prevent downstream exposure.
We Are Here to Help
If you have any questions regarding this bulletin, please reach out to HashiCorp Support. For specific questions regarding the upstream vulnerability itself, please refer to GitHub Support.