Skip to main content

fabric-chaincode-java CVE-2026-45581

| EUVDEUVD-2026-35139 MEDIUM
Insertion of Sensitive Information into Log File (CWE-532)
2026-05-19 https://github.com/hyperledger/fabric-chaincode-java GHSA-wg5x-3g47-v38r
5.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 19, 2026 - 16:35 vuln.today
Analysis Generated
May 19, 2026 - 16:35 vuln.today

DescriptionGitHub Advisory

When chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in plaintext. An attacker with access to the chaincode server logs could recover the TLS private key password. If the attacker can also obtain the TLS private key, they could impersonate the chaincode server.

Recommendation

  • Update to the fixed version of the chaincode runtime.
  • Redact or remove existing logs that contain the TLS private key password.
  • Change the TLS private key password.

Mitigation

Impacted deployments can mitigate the vulnerability by restricting the logging level to WARNING or higher so that INFO level logs are not written.

AnalysisAI

TLS private key password exposure in Hyperledger fabric-chaincode-java (versions 2.3.1 through 2.5.9) leaks credentials to any local user with read access to chaincode server logs when the service runs in chaincode-as-a-service (CaaS) mode with TLS enabled. The fabric-chaincode-shim runtime logs the TLS private key password in plaintext at INFO level during server startup, classified under CWE-532. A local attacker who recovers the logged password and separately obtains the TLS private key file gains the material needed to impersonate the chaincode server, potentially intercepting or injecting chaincode communications. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

Technical ContextAI

The affected component is the Maven artifact org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim (CPE: pkg:maven/org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim), which is the Java shim library enabling Hyperledger Fabric chaincode to communicate with the peer node. Chaincode-as-a-service (CaaS) is a Fabric deployment mode where chaincode runs as an external service rather than inside a managed Docker container, requiring a separate TLS-secured gRPC channel between the peer and the chaincode server. The root cause is CWE-532: Insertion of Sensitive Information into Log File - during server initialization, the shim logs its startup parameters including the TLS private key password (passphrase protecting the PKCS private key) at the default INFO log level, which is commonly retained in log aggregation systems, container stdout, or log files readable by operators and monitoring agents. Exploitation of the full impersonation scenario requires chaining the password disclosure with independent access to the encrypted private key file itself.

RemediationAI

The primary fix is upgrading the fabric-chaincode-shim Maven dependency to version 2.5.10 or later, as documented in the GitHub Security Advisory at https://github.com/hyperledger/fabric-chaincode-java/security/advisories/GHSA-wg5x-3g47-v38r. After upgrading, rotate the TLS private key password and redact or purge any existing log archives (stdout captures, log aggregation indexes, container logs) that may contain the plaintext password from prior startups - those historical records remain a residual exposure even after patching. If an immediate upgrade is not feasible, the documented mitigation is to configure the chaincode server logging level to WARNING or higher, which suppresses INFO-level output and prevents the password from being written to new log entries; note that this mitigation does not remediate previously written logs and may reduce operational visibility into chaincode startup diagnostics. No other workarounds are identified in available data.

Share

CVE-2026-45581 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy