{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40091", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T00:39:12.206Z", "datePublished": "2026-04-14T23:50:25.479Z", "dateUpdated": "2026-04-15T13:23:15.155Z"}, "containers": {"cna": {"title": "SpiceDB: SPICEDB_DATASTORE_CONN_URI is leaked on startup logs", "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "lang": "en", "description": "CWE-532: Insertion of Sensitive Information into Log File", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58"}, {"name": "https://github.com/authzed/spicedb/releases/tag/v1.51.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/authzed/spicedb/releases/tag/v1.51.1"}], "affected": [{"vendor": "authzed", "product": "spicedb", "versions": [{"version": ">= 1.49.0, < 1.51.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T23:50:25.479Z"}, "descriptions": [{"lang": "en", "value": "SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup \"configuration\" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI. This issue has been fixed in version 1.51.1. If users are unable to immediately upgrade, they can work around this issue by changing the log level to warn or error."}], "source": {"advisory": "GHSA-jf4f-rr2c-9m58", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:23:09.983559Z", "id": "CVE-2026-40091", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:23:15.155Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40091", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T13:23:09.983559Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:23:12.496Z"}}], "cna": {"title": "SpiceDB: SPICEDB_DATASTORE_CONN_URI is leaked on startup logs", "source": {"advisory": "GHSA-jf4f-rr2c-9m58", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "authzed", "product": "spicedb", "versions": [{"status": "affected", "version": ">= 1.49.0, < 1.51.1"}]}], "references": [{"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58", "name": "https://github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/authzed/spicedb/releases/tag/v1.51.1", "name": "https://github.com/authzed/spicedb/releases/tag/v1.51.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup \"configuration\" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI. This issue has been fixed in version 1.51.1. If users are unable to immediately upgrade, they can work around this issue by changing the log level to warn or error."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532: Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T23:50:25.479Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40091", "state": "PUBLISHED", "dateUpdated": "2026-04-15T13:23:15.155Z", "dateReserved": "2026-04-09T00:39:12.206Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-14T23:50:25.479Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup \"configuration\" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI. This issue has been fixed in version 1.51.1. If users are unable to immediately upgrade, they can work around this issue by changing the log level to warn or error."}], "id": "CVE-2026-40091", "lastModified": "2026-04-17T15:38:09.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-15T04:17:46.360", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/authzed/spicedb/releases/tag/v1.51.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "SpiceDB: SPICEDB_DATASTORE_CONN_URI is leaked on startup logs", "id": "2458577", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458577"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-532", "details": ["A flaw was found in SpiceDB. When SpiceDB starts with log level `info`, the startup configuration log will expose the full datastore Data Source Name (DSN), including the plaintext password. This vulnerability allows an attacker with access to these logs to obtain sensitive database credentials, potentially leading to unauthorized access to the datastore."], "mitigation": {"lang": "en:us", "value": "To mitigate this flaw, configure the log level to 'warn' or 'error', instead of 'info'."}, "name": "CVE-2026-40091", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Not affected", "package_name": "multicluster-globalhub/multicluster-globalhub-agent-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Not affected", "package_name": "multicluster-globalhub/multicluster-globalhub-manager-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Not affected", "package_name": "multicluster-globalhub/multicluster-globalhub-rhel9-operator", "product_name": "Multicluster Global Hub"}], "public_date": "2026-04-14T23:50:25Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40091\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40091\nhttps://github.com/authzed/spicedb/releases/tag/v1.51.1\nhttps://github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58"], "statement": "To exploit this vulnerability, a local attacker needs to have read access to the startup configuration log. Due to this reason, this flaw has been rated with a moderate severity.", "threat_severity": "Moderate"}