CVE-2026-40091
MEDIUMSeverity by source
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Impact
When SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI.
Patches
v1.51.1
Workarounds
Change the log level to warn or error.
AnalysisAI
SpiceDB information disclosure vulnerability in startup logging allows high-privileged local attackers to obtain plaintext database passwords. When SpiceDB initializes at info log level, the startup configuration log message exposes the complete datastore DSN string containing unmasked credentials in the DatastoreConfig.URI field. Patch version 1.51.1 available; CVSS 6.0 reflects high confidentiality impact mitigated by high privilege requirement and local-only attack vector.
Technical ContextAI
SpiceDB is an open-source authorization database written in Go (CPE: pkg:go/github.com_authzed_spicedb). The vulnerability stems from CWE-532 (Insertion of Sensitive Information into Log File) in the startup configuration logging routine. The affected code path occurs during application initialization when log level is configured to 'info', where the DatastoreConfig object is serialized and logged without redacting sensitive URI components. The DSN (Data Source Name) URI format typically follows patterns like 'protocol://username:password@host:port/database', and the logger outputs the entire structure without filtering credentials. This is a classic credential leakage scenario where sensitive material intended for runtime operation inadvertently enters audit trails accessible to system users with log file read permissions.
RemediationAI
Upgrade SpiceDB to version 1.51.1 or later, which includes fixes to redact credentials from startup configuration logs. For users unable to patch immediately, implement the immediate workaround by adjusting the SpiceDB log level configuration from 'info' to 'warn' or 'error' in your startup configuration or environment variables, which suppresses the vulnerable startup configuration message entirely. Additionally, audit existing log archives and centralized logging systems (Splunk, ELK, CloudWatch, etc.) to identify and rotate any database credentials that may have been exposed in prior logs. Review access controls on SpiceDB log files and logging infrastructure to ensure high-privilege users cannot trivially export credentials. Consult the security advisory at https://github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58 for detailed mitigation steps.
Same technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-jf4f-rr2c-9m58