CVE-2026-40091

MEDIUM

SpiceDB: SPICEDB_DATASTORE_CONN_URI is leaked on startup logs

Title source: cna

Description

SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI. This issue has been fixed in version 1.51.1. If users are unable to immediately upgrade, they can work around this issue by changing the log level to warn or error.

References (2)

[X_Refsource_Confirm] https://github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58

[X_Refsource_Misc] https://github.com/authzed/spicedb/releases/tag/v1.51.1

Scores

CVSS v3 6.0

EPSS 0.0001

EPSS Percentile 1.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Details

CWE

CWE-532

Status published

Products (2)

authzed/spicedb 1.49.0 - 1.51.1

authzed/spicedb >= 1.49.0, < 1.51.1

Published Apr 15, 2026

Tracked Since Apr 15, 2026