CVE-2026-40091 - Vulnerability Details

- SpiceDB: SPICEDB_DATASTORE_CONN_URI is leaked on startup logs

Description

SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI. This issue has been fixed in version 1.51.1. If users are unable to immediately upgrade, they can work around this issue by changing the log level to warn or error.

Published: 2026-04-14

Score: 6 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

SpiceDB versions 1.49.0 through 1.51.0 record the full datastore connection string—including the plaintext password—in info‑level logs during startup. The configuration log is exposed to anyone who can read log output, providing unauthenticated access to credentials that could be used to connect to the underlying database or compromise other services that rely on that connection. This disclosure can lead to data leakage or unauthorized data manipulation, representing a moderate‑severity confidentiality compromise. The weakness is classified as improper output of sensitive information, CWE‑532.

Affected Systems

The vulnerability affects the Authzed SpiceDB product from versions 1.49.0 to 1.51.0. Users running any of those releases are impacted until they upgrade to 1.51.1 or later.

Risk and Exploitability

The CVSS score is 6.0, indicating moderate severity. EPSS information is not available and the issue is not listed in the CISA KEV catalog, suggesting a lower likelihood of widespread exploitation yet still presenting a tangible risk. Attackers could exploit the leak if they can view application logs, which may be the case in cloud environments with shared logging or if logs are forwarded to central log management systems without proper access controls. The defect is generally exploitable by anyone with log access and is limited to information disclosure; additional privileges would be required for further damage.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

authzed

spicedb

affected

Version	Status	Constraints
`>= 1.49.0, < 1.51.1`	affected	—

No data.

Vendor Product Confidence Versions

Authzed

Spicedb

100%

Version	Status	Scheme	Platform
`[1.49.0,1.51.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade SpiceDB to version 1.51.1 or later to eliminate password disclosure.
If upgrade is not immediately possible, change the log level to warn or error so that the connection string is not logged.
Restrict access to application logs or implement log filtering to redact the datastore DSN from any output that may still be produced.

Generated by OpenCVE AI on April 15, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-jf4f-rr2c-9m58	SpiceDB's SPICEDB_DATASTORE_CONN_URI is leaked on startup logs

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00009.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/authzed/spicedb/releases/tag/v1.51.1
https://github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58

History

Wed, 15 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 15 Apr 2026 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Authzed Authzed spicedb
Vendors & Products		Authzed Authzed spicedb

Wed, 15 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Description		SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI. This issue has been fixed in version 1.51.1. If users are unable to immediately upgrade, they can work around this issue by changing the log level to warn or error.
Title		SpiceDB: SPICEDB_DATASTORE_CONN_URI is leaked on startup logs
Weaknesses		CWE-532
References		https://github.com/authzed/spicedb/releases/tag/v1.51.1 https://github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58
Metrics		cvssV3_1 `{'score': 6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}`

Subscriptions

Authzed Spicedb

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-14T23:50:25.479Z

Updated: 2026-04-15T13:23:15.155Z

Reserved: 2026-04-09T00:39:12.206Z

Link: CVE-2026-40091

Vulnrichment

Updated: 2026-04-15T13:23:12.496Z

NVD

Status : Received

Published: 2026-04-15T04:17:46.360

Modified: 2026-04-15T04:17:46.360

Link: CVE-2026-40091

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T13:49:14Z

Weaknesses

CWE-532

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object