CVE-2026-40091
Received Received - Intake

Information Disclosure in SpiceDB Logs Exposes Plaintext Passwords

Vulnerability report for CVE-2026-40091, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-15

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description

SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI. This issue has been fixed in version 1.51.1. If users are unable to immediately upgrade, they can work around this issue by changing the log level to warn or error.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-15
Last Modified
2026-04-23
Generated
2026-07-06
AI Q&A
2026-04-15
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
authzed spicedb From 1.49.0 (inc) to 1.51.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability causes sensitive datastore credentials, including plaintext passwords, to be logged during startup when the log level is set to "info." Such exposure of confidential information in logs can lead to unauthorized access if logs are improperly accessed or retained.

Exposure of sensitive credentials may violate data protection and security requirements mandated by common standards and regulations such as GDPR and HIPAA, which require safeguarding sensitive information and ensuring confidentiality.

Therefore, this vulnerability could negatively impact compliance with these regulations by increasing the risk of unauthorized disclosure of sensitive information.

Executive Summary

CVE-2026-40091 is an information disclosure vulnerability in SpiceDB versions 1.49.0 through 1.51.0. When SpiceDB starts with the log level set to "info," the startup configuration log outputs the full datastore Data Source Name (DSN), including the plaintext password, inside the DatastoreConfig.URI field.

This means sensitive credentials are exposed in the logs, which poses a confidentiality risk. The vulnerability requires local access with high privileges to exploit and does not require user interaction.

The issue was fixed in version 1.51.1 by removing the sensitive information from the startup logs. As a workaround, users can change the log level to "warn" or "error" to prevent the sensitive DSN from being logged during startup.

Impact Analysis

This vulnerability can lead to the exposure of sensitive datastore credentials, specifically the plaintext password used in the datastore DSN.

If an attacker gains local access with high privileges, they could read the startup logs and obtain these credentials, potentially allowing unauthorized access to the datastore.

The confidentiality impact is high, which could compromise the security of the application permissions managed by SpiceDB.

Detection Guidance

This vulnerability can be detected by checking the startup logs of SpiceDB when it is running with the log level set to "info." Specifically, you should look for the presence of the full datastore Data Source Name (DSN), including the plaintext password, inside the DatastoreConfig.URI field in the logs.

Commands to detect this might include searching the logs for sensitive information patterns or the DSN string. For example, you could use commands like:

  • grep 'DatastoreConfig.URI' /path/to/spicedb/logfile
  • journalctl -u spicedb.service | grep 'DatastoreConfig.URI'
  • docker logs <container_id> | grep 'DatastoreConfig.URI'

If the DSN with plaintext password appears in the logs, the system is vulnerable if running a version between 1.49.0 and 1.51.0 with log level info.

Mitigation Strategies

The immediate mitigation steps are to either upgrade SpiceDB to version 1.51.1 or later, where the vulnerability is fixed, or if upgrading is not immediately possible, to change the log level to "warn" or "error."

Changing the log level to "warn" or "error" prevents the sensitive datastore DSN, including plaintext passwords, from being logged during startup, thereby mitigating the risk of credential exposure.

Upgrading can be done by pulling the fixed Docker image tags authzed/spicedb:v1.51.1, quay.io/authzed/spicedb:v1.51.1, or ghcr.io/authzed/spicedb:v1.51.1.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40091. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart