6

CVE-2026-40091

EPSS 0.17%
Veröffentlicht 14.04.2026 23:50:25
Zuletzt bearbeitet 23.04.2026 17:15:42
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

SpiceDB: SPICEDB_DATASTORE_CONN_URI is leaked on startup logs

SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI. This issue has been fixed in version 1.51.1. If users are unable to immediately upgrade, they can work around this issue by changing the log level to warn or error.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Authzed ≫ Spicedb Version >= 1.49.0 < 1.51.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.17%	0.061

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.4	0.8	3.6	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	6	1.5	4	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

https://github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58

Vendor Advisory

https://github.com/authzed/spicedb/releases/tag/v1.51.1

Product

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-40091

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-40091

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-40091

EUVD