Skip to main content

Vaadin Flow EUVDEUVD-2026-30891

| CVE-2026-7860 LOW
Error Message Information Leak (CWE-209)
2026-05-19 Vaadin GHSA-j8mx-j73w-9mxw
1.6
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.6 LOW
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:C/RE:L/U:Green

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:C/RE:L/U:Green
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
P
Scope
N

Lifecycle Timeline

2
Source Code Evidence Fetched
May 19, 2026 - 12:04 vuln.today
Analysis Generated
May 19, 2026 - 12:04 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 maven packages depend on com.vaadin:flow-gradle-plugin (1 direct, 1 indirect)
  • 2 maven packages depend on com.vaadin:flow-maven-plugin (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 24.0.0 and other introduced versions.

DescriptionCVE.org

A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts.

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version Vaadin 23.0.0 - 23.6.9 Vaadin 24.0.0 - 24.10.3 Vaadin 25.0.0 - 25.1.4

Mitigation Upgrade to 23.6.10 Upgrade to 24.10.4 or newer Upgrade to 25.1.5 or newer

Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version.

ArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-plugin-base24.0.0 - 24.10.3≥24.10.4com.vaadin:flow-plugin-base25.0.0 - 25.1.4≥25.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.10.3≥24.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.1.4≥25.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.10.3≥24.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.1.4≥25.1.5

AnalysisAI

Vaadin Flow's Maven and Gradle build plugins expose all process-level environment variables - including CI-injected secrets and credentials - in plaintext build logs whenever the frontend build process exits with a non-zero status code. Affected are com.vaadin:flow-maven-plugin, flow-gradle-plugin, and flow-plugin-base across Vaadin 23.0.0-23.6.9, 24.0.0-24.10.3, and 25.0.0-25.1.4. No public exploit code exists and this is not listed in CISA KEV; however, any actor with read access to CI build logs from a failed frontend build can extract plaintext registry credentials, deploy tokens, or signing keys, enabling downstream supply chain compromise consistent with the CVSS SC:H/SI:H subsequent-system impact ratings.

Technical ContextAI

The root cause is CWE-209 (Generation of Error Message Containing Sensitive Information). The affected plugins previously used the third-party library org.zeroturnaround:zt-exec (ProcessExecutor) to invoke frontend build toolchains such as npm and Vite. When ProcessExecutor's command invocation returned a non-zero exit code, the exception-handling path in BuildFrontendUtil.java logged the full ProcessBuilder environment - the complete map of OS-level environment variables - to build output. CI/CD pipelines (GitHub Actions, Jenkins, GitLab CI) routinely inject sensitive credentials as environment variables, making any failed frontend build a potential credential dump. The GitHub PR #24219 fix removes the zt-exec dependency entirely from flow-plugin-base and flow-maven-plugin, replacing ProcessExecutor with a custom Java-native ProcessBuilder and BufferedReader implementation that does not expose environment state on failure. CPE cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:* covers all affected Vaadin Flow versions across the 23.x, 24.x, and 25.x release branches.

RemediationAI

The primary fix is to upgrade to a patched Vaadin release. For the 24.x branch, upgrade to com.vaadin:flow-maven-plugin and flow-plugin-base version 24.10.4 or newer; for the 25.x branch, upgrade to 25.1.5 or newer. For the 23.x branch, note a discrepancy in the vendor advisory: the mitigation text states 'Upgrade to 23.6.10' while the artifact version table lists 23.6.10 as still vulnerable and ≥23.6.11 as fixed - verify the exact artifact version against the vendor advisory at https://vaadin.com/security/cve-2026-7860 before upgrading in the 23.x stream. The upstream code change (GitHub PR #24219) removes the zt-exec dependency and replaces ProcessExecutor with native Java process handling that does not dump environment state on failure. As an immediate compensating control where upgrading is not yet possible, rotate any secrets that may have been written to CI build logs (API keys, container registry passwords, deploy tokens, code-signing keys) - rotation removes attacker utility from already-leaked values without requiring a build change. Additionally, restrict CI log and artifact access to only authorized personnel, and audit existing archived build artifacts for exposed secrets using tools such as truffleHog or gitleaks. Restricting log access is not a fix for future exposures - only the patch eliminates the root cause.

More in Flow

View all
CVE-2026-22683 HIGH POC
8.7 Apr 07

Authorization bypass in Windmill 1.56.0-1.614.0 enables Operator role users to escalate privileges to remote code execut

CVE-2018-13525 HIGH POC
7.5 Jul 09

The mintToken function of a smart contract implementation for Flow, an Ethereum token, has an integer overflow that allo

CVE-2023-30094 MEDIUM POC
5.4 May 04

A stored cross-site scripting (XSS) vulnerability in TotalJS Flow v10 allows attackers to execute arbitrary web scripts

CVE-2023-21444 HIGH
8.8 Feb 09

Improper cryptographic implementation in Samsung Flow for PC 4.9.14.0 allows adjacent attackers to decrypt encrypted mes

CVE-2023-21443 HIGH
8.8 Feb 09

Improper cryptographic implementation in Samsung Flow for Android prior to version 4.9.04 allows adjacent attackers to d

CVE-2021-31411 HIGH
7.8 May 05

Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.

CVE-2026-57793 HIGH
7.5 Jul 13

Local File Inclusion in the Elated-Themes 'Flow' WordPress theme (all versions up to and including 1.8) lets an authenti

CVE-2021-31407 HIGH
7.5 Apr 23

Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9),

CVE-2021-31405 HIGH
7.5 Apr 23

Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadi

CVE-2021-31408 HIGH
7.1 Apr 23

Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.

CVE-2025-20972 MEDIUM
6.2 May 07

Improper verification of intent by broadcast receiver in Samsung Flow prior to version 4.9.17.6 allows local attackers t

CVE-2025-20971 MEDIUM
5.5 May 07

Improper input validation in Samsung Flow prior to version 4.9.17.6 allows local attackers to access data within Samsung

Share

EUVD-2026-30891 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy