{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40091", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T00:39:12.206Z", "datePublished": "2026-04-14T23:50:25.479Z", "dateUpdated": "2026-04-15T13:23:15.155Z"}, "containers": {"cna": {"title": "SpiceDB: SPICEDB_DATASTORE_CONN_URI is leaked on startup logs", "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "lang": "en", "description": "CWE-532: Insertion of Sensitive Information into Log File", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58"}, {"name": "https://github.com/authzed/spicedb/releases/tag/v1.51.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/authzed/spicedb/releases/tag/v1.51.1"}], "affected": [{"vendor": "authzed", "product": "spicedb", "versions": [{"version": ">= 1.49.0, < 1.51.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T23:50:25.479Z"}, "descriptions": [{"lang": "en", "value": "SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup \"configuration\" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI. This issue has been fixed in version 1.51.1. If users are unable to immediately upgrade, they can work around this issue by changing the log level to warn or error."}], "source": {"advisory": "GHSA-jf4f-rr2c-9m58", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:23:09.983559Z", "id": "CVE-2026-40091", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:23:15.155Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40091", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T13:23:09.983559Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:23:12.496Z"}}], "cna": {"title": "SpiceDB: SPICEDB_DATASTORE_CONN_URI is leaked on startup logs", "source": {"advisory": "GHSA-jf4f-rr2c-9m58", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "authzed", "product": "spicedb", "versions": [{"status": "affected", "version": ">= 1.49.0, < 1.51.1"}]}], "references": [{"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58", "name": "https://github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/authzed/spicedb/releases/tag/v1.51.1", "name": "https://github.com/authzed/spicedb/releases/tag/v1.51.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup \"configuration\" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI. This issue has been fixed in version 1.51.1. If users are unable to immediately upgrade, they can work around this issue by changing the log level to warn or error."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532: Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T23:50:25.479Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40091", "state": "PUBLISHED", "dateUpdated": "2026-04-15T13:23:15.155Z", "dateReserved": "2026-04-09T00:39:12.206Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-14T23:50:25.479Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.49.0,1.51.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "spicedb", "source": "cna", "vendor": "authzed"}, "product": "spicedb", "vendor": "authzed"}], "analysis": {"en": {"generated_at": "2026-04-15T01:50:34.318108+00:00", "value": {"mitigation_remediation": ["Upgrade SpiceDB to version 1.51.1 or later to eliminate password disclosure.", "If upgrade is not immediately possible, change the log level to warn or error so that the connection string is not logged.", "Restrict access to application logs or implement log filtering to redact the datastore DSN from any output that may still be produced."], "summary": {"action": "Patch", "impact": "Exposure of datastore credentials via startup logs"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Authzed SpiceDB product from versions 1.49.0 to 1.51.0. Users running any of those releases are impacted until they upgrade to 1.51.1 or later.", "description_and_impact": "SpiceDB versions 1.49.0 through 1.51.0 record the full datastore connection string\u2014including the plaintext password\u2014in info\u2011level logs during startup. The configuration log is exposed to anyone who can read log output, providing unauthenticated access to credentials that could be used to connect to the underlying database or compromise other services that rely on that connection. This disclosure can lead to data leakage or unauthorized data manipulation, representing a moderate\u2011severity confidentiality compromise. The weakness is classified as improper output of sensitive information, CWE\u2011532.", "risk_and_exploitability": "The CVSS score is 6.0, indicating moderate severity. EPSS information is not available and the issue is not listed in the CISA KEV catalog, suggesting a lower likelihood of widespread exploitation yet still presenting a tangible risk. Attackers could exploit the leak if they can view application logs, which may be the case in cloud environments with shared logging or if logs are forwarded to central log management systems without proper access controls. The defect is generally exploitable by anyone with log access and is limited to information disclosure; additional privileges would be required for further damage."}}}}, "created": "2026-04-15T13:48:23.610096+00:00", "updated": "2026-04-15T13:49:14.874661+00:00", "vendors": ["authzed", "authzed$PRODUCT$spicedb"]}