Skip to main content

CVE-2026-40091

MEDIUM
Insertion of Sensitive Information into Log File (CWE-532)
2026-04-14 https://github.com/authzed/spicedb GHSA-jf4f-rr2c-9m58
6.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.0 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Red Hat
6.0 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 15, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 15, 2026 - 01:12 vuln.today
Analysis Generated
Apr 14, 2026 - 22:46 vuln.today
CVE Published
Apr 14, 2026 - 22:33 nvd
MEDIUM 6.0

DescriptionGitHub Advisory

Impact

When SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI.

Patches

v1.51.1

Workarounds

Change the log level to warn or error.

AnalysisAI

SpiceDB information disclosure vulnerability in startup logging allows high-privileged local attackers to obtain plaintext database passwords. When SpiceDB initializes at info log level, the startup configuration log message exposes the complete datastore DSN string containing unmasked credentials in the DatastoreConfig.URI field. Patch version 1.51.1 available; CVSS 6.0 reflects high confidentiality impact mitigated by high privilege requirement and local-only attack vector.

Technical ContextAI

SpiceDB is an open-source authorization database written in Go (CPE: pkg:go/github.com_authzed_spicedb). The vulnerability stems from CWE-532 (Insertion of Sensitive Information into Log File) in the startup configuration logging routine. The affected code path occurs during application initialization when log level is configured to 'info', where the DatastoreConfig object is serialized and logged without redacting sensitive URI components. The DSN (Data Source Name) URI format typically follows patterns like 'protocol://username:password@host:port/database', and the logger outputs the entire structure without filtering credentials. This is a classic credential leakage scenario where sensitive material intended for runtime operation inadvertently enters audit trails accessible to system users with log file read permissions.

RemediationAI

Upgrade SpiceDB to version 1.51.1 or later, which includes fixes to redact credentials from startup configuration logs. For users unable to patch immediately, implement the immediate workaround by adjusting the SpiceDB log level configuration from 'info' to 'warn' or 'error' in your startup configuration or environment variables, which suppresses the vulnerable startup configuration message entirely. Additionally, audit existing log archives and centralized logging systems (Splunk, ELK, CloudWatch, etc.) to identify and rotate any database credentials that may have been exposed in prior logs. Review access controls on SpiceDB log files and logging infrastructure to ensure high-privilege users cannot trivially export credentials. Consult the security advisory at https://github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58 for detailed mitigation steps.

Vendor StatusVendor

Share

CVE-2026-40091 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy