Executive Summary

CVE-2026-40091 is an information disclosure vulnerability in SpiceDB versions 1.49.0 through 1.51.0. When SpiceDB starts with the log level set to "info," the startup configuration log outputs the full datastore Data Source Name (DSN), including the plaintext password, inside the DatastoreConfig.URI field.

This means sensitive credentials are exposed in the logs, which poses a confidentiality risk. The vulnerability requires local access with high privileges to exploit and does not require user interaction.

The issue was fixed in version 1.51.1 by removing the sensitive information from the startup logs. As a workaround, users can change the log level to "warn" or "error" to prevent the sensitive DSN from being logged during startup.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the exposure of sensitive datastore credentials, specifically the plaintext password used in the datastore DSN.

If an attacker gains local access with high privileges, they could read the startup logs and obtain these credentials, potentially allowing unauthorized access to the datastore.

The confidentiality impact is high, which could compromise the security of the application permissions managed by SpiceDB.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking the startup logs of SpiceDB when it is running with the log level set to "info." Specifically, you should look for the presence of the full datastore Data Source Name (DSN), including the plaintext password, inside the DatastoreConfig.URI field in the logs.

Commands to detect this might include searching the logs for sensitive information patterns or the DSN string. For example, you could use commands like:

• grep 'DatastoreConfig.URI' /path/to/spicedb/logfile
• journalctl -u spicedb.service | grep 'DatastoreConfig.URI'
• docker logs <container_id> | grep 'DatastoreConfig.URI'

If the DSN with plaintext password appears in the logs, the system is vulnerable if running a version between 1.49.0 and 1.51.0 with log level info.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation steps are to either upgrade SpiceDB to version 1.51.1 or later, where the vulnerability is fixed, or if upgrading is not immediately possible, to change the log level to "warn" or "error."

Changing the log level to "warn" or "error" prevents the sensitive datastore DSN, including plaintext passwords, from being logged during startup, thereby mitigating the risk of credential exposure.

Upgrading can be done by pulling the fixed Docker image tags authzed/spicedb:v1.51.1, quay.io/authzed/spicedb:v1.51.1, or ghcr.io/authzed/spicedb:v1.51.1.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability causes sensitive datastore credentials, including plaintext passwords, to be logged during startup when the log level is set to "info." Such exposure of confidential information in logs can lead to unauthorized access if logs are improperly accessed or retained.

Exposure of sensitive credentials may violate data protection and security requirements mandated by common standards and regulations such as GDPR and HIPAA, which require safeguarding sensitive information and ensuring confidentiality.

Therefore, this vulnerability could negatively impact compliance with these regulations by increasing the risk of unauthorized disclosure of sensitive information.

Useful 0 Not Useful 0