Severity by source
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:C/RE:L/U:Green
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:C/RE:L/U:Green
Lifecycle Timeline
2Blast Radius
ecosystem impact- 2 maven packages depend on com.vaadin:flow-gradle-plugin (1 direct, 1 indirect)
- 2 maven packages depend on com.vaadin:flow-maven-plugin (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 24.0.0 and other introduced versions.
DescriptionCVE.org
A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts.
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
Product version Vaadin 23.0.0 - 23.6.9 Vaadin 24.0.0 - 24.10.3 Vaadin 25.0.0 - 25.1.4
Mitigation Upgrade to 23.6.10 Upgrade to 24.10.4 or newer Upgrade to 25.1.5 or newer
Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version.
ArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-plugin-base24.0.0 - 24.10.3≥24.10.4com.vaadin:flow-plugin-base25.0.0 - 25.1.4≥25.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.10.3≥24.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.1.4≥25.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.10.3≥24.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.1.4≥25.1.5
AnalysisAI
Vaadin Flow's Maven and Gradle build plugins expose all process-level environment variables - including CI-injected secrets and credentials - in plaintext build logs whenever the frontend build process exits with a non-zero status code. Affected are com.vaadin:flow-maven-plugin, flow-gradle-plugin, and flow-plugin-base across Vaadin 23.0.0-23.6.9, 24.0.0-24.10.3, and 25.0.0-25.1.4. No public exploit code exists and this is not listed in CISA KEV; however, any actor with read access to CI build logs from a failed frontend build can extract plaintext registry credentials, deploy tokens, or signing keys, enabling downstream supply chain compromise consistent with the CVSS SC:H/SI:H subsequent-system impact ratings.
Technical ContextAI
The root cause is CWE-209 (Generation of Error Message Containing Sensitive Information). The affected plugins previously used the third-party library org.zeroturnaround:zt-exec (ProcessExecutor) to invoke frontend build toolchains such as npm and Vite. When ProcessExecutor's command invocation returned a non-zero exit code, the exception-handling path in BuildFrontendUtil.java logged the full ProcessBuilder environment - the complete map of OS-level environment variables - to build output. CI/CD pipelines (GitHub Actions, Jenkins, GitLab CI) routinely inject sensitive credentials as environment variables, making any failed frontend build a potential credential dump. The GitHub PR #24219 fix removes the zt-exec dependency entirely from flow-plugin-base and flow-maven-plugin, replacing ProcessExecutor with a custom Java-native ProcessBuilder and BufferedReader implementation that does not expose environment state on failure. CPE cpe:2.3:a:vaadin:flow:*:*:*:*:*:*:*:* covers all affected Vaadin Flow versions across the 23.x, 24.x, and 25.x release branches.
RemediationAI
The primary fix is to upgrade to a patched Vaadin release. For the 24.x branch, upgrade to com.vaadin:flow-maven-plugin and flow-plugin-base version 24.10.4 or newer; for the 25.x branch, upgrade to 25.1.5 or newer. For the 23.x branch, note a discrepancy in the vendor advisory: the mitigation text states 'Upgrade to 23.6.10' while the artifact version table lists 23.6.10 as still vulnerable and ≥23.6.11 as fixed - verify the exact artifact version against the vendor advisory at https://vaadin.com/security/cve-2026-7860 before upgrading in the 23.x stream. The upstream code change (GitHub PR #24219) removes the zt-exec dependency and replaces ProcessExecutor with native Java process handling that does not dump environment state on failure. As an immediate compensating control where upgrading is not yet possible, rotate any secrets that may have been written to CI build logs (API keys, container registry passwords, deploy tokens, code-signing keys) - rotation removes attacker utility from already-leaked values without requiring a build change. Additionally, restrict CI log and artifact access to only authorized personnel, and audit existing archived build artifacts for exposed secrets using tools such as truffleHog or gitleaks. Restricting log access is not a fix for future exposures - only the patch eliminates the root cause.
Authorization bypass in Windmill 1.56.0-1.614.0 enables Operator role users to escalate privileges to remote code execut
The mintToken function of a smart contract implementation for Flow, an Ethereum token, has an integer overflow that allo
A stored cross-site scripting (XSS) vulnerability in TotalJS Flow v10 allows attackers to execute arbitrary web scripts
Improper cryptographic implementation in Samsung Flow for PC 4.9.14.0 allows adjacent attackers to decrypt encrypted mes
Improper cryptographic implementation in Samsung Flow for Android prior to version 4.9.04 allows adjacent attackers to d
Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.
Local File Inclusion in the Elated-Themes 'Flow' WordPress theme (all versions up to and including 1.8) lets an authenti
Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9),
Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadi
Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.
Improper verification of intent by broadcast receiver in Samsung Flow prior to version 4.9.17.6 allows local attackers t
Improper input validation in Samsung Flow prior to version 4.9.17.6 allows local attackers to access data within Samsung
Same weakness CWE-209 – Error Message Information Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30891
GHSA-j8mx-j73w-9mxw