CVE-2026-40091
MEDIUMSpiceDB: SPICEDB_DATASTORE_CONN_URI is leaked on startup logs
Title source: cnaDescription
SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI. This issue has been fixed in version 1.51.1. If users are unable to immediately upgrade, they can work around this issue by changing the log level to warn or error.
References (2)
Core 2
Core References
X_Refsource_Misc x_refsource_misc
https://github.com/authzed/spicedb/releases/tag/v1.51.1
X_Refsource_Confirm x_refsource_confirm
https://github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58
Scores
CVSS v3
6.0
EPSS
0.0017
EPSS Percentile
6.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-532
Status
published
Products (3)
authzed/spicedb
1.49.0 - 1.51.1
authzed/spicedb
1.49.0 - 1.51.1Go
authzed/spicedb
>= 1.49.0, < 1.51.1
Published
Apr 15, 2026
Tracked Since
Apr 15, 2026