Description
A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts.


Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version
Vaadin 23.0.0 - 23.6.9
Vaadin 24.0.0 - 24.10.3
Vaadin 25.0.0 - 25.1.4

Mitigation
Upgrade to 23.6.10
Upgrade to 24.10.4 or newer
Upgrade to 25.1.5 or newer

Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version.

ArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-plugin-base24.0.0 - 24.10.3≥24.10.4com.vaadin:flow-plugin-base25.0.0 - 25.1.4≥25.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.10.3≥24.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.1.4≥25.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.10.3≥24.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.1.4≥25.1.5
Published: 2026-05-19
Score: 1.6 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in the Vaadin Maven and Gradle plugins causes the full set of environment variables to be written to build logs whenever the frontend build process fails. Because build environments often contain sensitive credentials supplied as environment secrets, a failed frontend build can expose those secrets to anyone with access to the CI logs or archived artifacts. The flaw is an information exposure weakness (CWE‑209).

Affected Systems

The issue affects Vaadin Flow plugins for versions 23.0.0 through 25.1.4. Specifically, the Vaadin Flow Plugin Base, Vaadin Flow Maven Plugin, and Vaadin Flow Gradle Plugin are vulnerable. The vulnerable ranges are 23.0.0‑23.6.9, 24.0.0‑24.10.3, and 25.0.0‑25.1.4; the problem is fixed starting at 23.6.10, 24.10.4, and 25.1.5 respectively, which are supported releases.

Risk and Exploitability

The CVSS score is 1.6, indicating a very low severity from a technical standpoint. EPSS data is not available, and the CVE is not listed in CISA’s KEV catalog, suggesting limited commercial exploitation. However, the attack vector is likely internal or during use of continuous integration pipelines, where build failures could inadvertently leak sensitive data to build log viewers. The vulnerability requires a failed frontend build to trigger the log write, so an attacker would need to induce a build failure or already have access to logs of a failed build.

Generated by OpenCVE AI on May 19, 2026 at 12:20 UTC.

Remediation

Vendor Solution

Users of affected versions should apply the following mitigation or upgrade.

OpenCVE Recommended Actions

  • Upgrade Vaadin Flow Plugin Base to version 23.6.10 or newer, 24.10.4 or newer, or 25.1.5 or newer.
  • Upgrade Vaadin Flow Maven Plugin to version 23.6.10 or newer, 24.10.4 or newer, or 25.1.5 or newer.
  • Upgrade Vaadin Flow Gradle Plugin to version 24.10.4 or newer, or 25.1.5 or newer.
  • If upgrading immediately is not possible, remove or mask environment variable logging in CI pipelines and delete any logs that contain sensitive data from past build failures.

Generated by OpenCVE AI on May 19, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Vaadin
Vaadin flow
Vendors & Products Vaadin
Vaadin flow

Tue, 19 May 2026 11:30:00 +0000

Type Values Removed Values Added
Description A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Vaadin 23.0.0 - 23.6.9 Vaadin 24.0.0 - 24.10.3 Vaadin 25.0.0 - 25.1.4 Mitigation Upgrade to 23.6.10 Upgrade to 24.10.4 or newer Upgrade to 25.1.5 or newer Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version. ArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-plugin-base24.0.0 - 24.10.3≥24.10.4com.vaadin:flow-plugin-base25.0.0 - 25.1.4≥25.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.10.3≥24.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.1.4≥25.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.10.3≥24.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.1.4≥25.1.5
Title Possible information disclosure of environment variables in Vaadin Build Plugins via Failed Frontend Build
Weaknesses CWE-209
References
Metrics cvssV4_0

{'score': 1.6, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/S:N/AU:N/R:A/V:C/RE:L/U:Green'}

Subscriptions

Vaadin Flow
cve-icon MITRE

Status: PUBLISHED

Assigner: Vaadin

Published:

Updated: 2026-05-19T11:01:47.212Z

Reserved: 2026-05-05T11:51:33.170Z

Link: CVE-2026-7860

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-19T12:16:19.960

Modified: 2026-05-19T12:16:19.960

Link: CVE-2026-7860

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T12:30:05Z

Weaknesses