CVE-2026-45581 - Vulnerability Details

- fabric-chaincode-java: TLS Private Key Password Disclosed in INFO Startup Logs in Chaincode-as-a-Service Mode

Description

fabric-chaincode-java is a Java based implementation of Hyperledger Fabric chaincode shim APIs. From version 2.3.1 to before version 2.5.10, when chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in plaintext. An attacker with access to the chaincode server logs could recover the TLS private key password. If the attacker can also obtain the TLS private key, they could impersonate the chaincode server. This issue has been patched in version 2.5.10.

Published: 2026-06-08

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

fabric-chaincode-java versions from 2.3.1 up to before 2.5.10 log the TLS private key password in plain text when deployed in chaincode-as-a-service mode with TLS enabled. An attacker who can read the chaincode server logs can recover the password. If the attacker also obtains the TLS private key, they can impersonate the chaincode server and potentially interfere with the ledger or transaction processing.

Affected Systems

The affected product is hyperledger fabric-chaincode-java, a Java implementation of Hyperledger Fabric chaincode shim APIs. Vulnerable releases include all versions from 2.3.1 through 2.5.9; the issue is fixed in version 2.5.10 and later.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate risk. EPSS data is not available, and the vulnerability is not listed in CISA KEV. The likely attack vector is an attacker with access to the chaincode logs, such as a user or a compromised system, who could capture the password. If the attacker also locates the TLS private key file, they can impersonate the chaincode server, undermining authentication and potentially allowing unauthorized transaction submission or data manipulation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

hyperledger

fabric-chaincode-java

affected

Version	Status	Constraints
`>= 2.3.1, < 2.5.10`	affected	—

No data.

Vendor Product Confidence Versions

Hyperledger

Fabric-chaincode-java

100%

Version	Status	Scheme	Platform
`[2.3.1,2.5.10)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade hyperledger fabric-chaincode-java to version 2.5.10 or later to apply the official fix for the logging vulnerability.
Configure the chaincode server logging level to WARN or higher so that sensitive TLS credential information is not recorded in logs during operation.
Review TLS setup to avoid exposing private key passwords in configuration files or environment variables; consider using secure credential stores or key management services to store secrets.

Generated by OpenCVE AI on June 8, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-wg5x-3g47-v38r	fabric-chaincode-java: TLS Private Key Password Disclosed in INFO Startup Logs in Chaincode-as-a-Service Mode

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/hyperledger/fabric-chaincode-java/security/advisories/GHSA-wg5x-3g47-v38r

History

Tue, 09 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 09 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hyperledger Hyperledger fabric-chaincode-java
Vendors & Products		Hyperledger Hyperledger fabric-chaincode-java

Mon, 08 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		fabric-chaincode-java is a Java based implementation of Hyperledger Fabric chaincode shim APIs. From version 2.3.1 to before version 2.5.10, when chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in plaintext. An attacker with access to the chaincode server logs could recover the TLS private key password. If the attacker can also obtain the TLS private key, they could impersonate the chaincode server. This issue has been patched in version 2.5.10.
Title		fabric-chaincode-java: TLS Private Key Password Disclosed in INFO Startup Logs in Chaincode-as-a-Service Mode
Weaknesses		CWE-532
References		https://github.com/hyperledger/fabric-chaincode-java/security/advisories/GHSA-wg5x-3g47-v38r
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Hyperledger Fabric-chaincode-java

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-08T16:53:45.829Z

Updated: 2026-06-09T15:51:04.589Z

Reserved: 2026-05-12T19:00:14.601Z

Link: CVE-2026-45581

Vulnrichment

Updated: 2026-06-09T15:50:59.421Z

NVD

Status : Deferred

Published: 2026-06-08T17:16:44.360

Modified: 2026-06-09T15:25:56.860

Link: CVE-2026-45581

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-09T08:56:44Z

Weaknesses

CWE-532

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object