Description
A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts.


Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version
Vaadin 23.0.0 - 23.6.9
Vaadin 24.0.0 - 24.9.16
Vaadin 24.10.0 - 24.10.3
Vaadin 25.0.0 - 25.0.10
Vaadin 25.1.0 - 25.1.4

Mitigation
Upgrade to 23.6.10
Upgrade to 24.9.17 or newer
Upgrade to 24.10.4 or newer
Upgrade to 25.0.11 or newer
Upgrade to 25.1.5 or newer

Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version.

ArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-plugin-base24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-plugin-base24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-plugin-base25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-plugin-base25.1.0 - 25.1.4≥25.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-maven-plugin24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-maven-plugin25.1.0 - 25.1.4≥25.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-gradle-plugin24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-gradle-plugin25.1.0 - 25.1.4≥25.1.5
Published: 2026-05-19
Score: 1.6 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A possible information disclosure vulnerability exists in the Vaadin Maven and Gradle plugins, where the full set of environment variables is written to build logs whenever the frontend build process exits with a non‑zero status. Because the build environment may contain secrets, a failed frontend build can expose those credentials in clear text in CI logs and archived artifacts. This flaw is an information exposure weakness (CWE‑209).

Affected Systems

The issue affects Vaadin Flow plugins for versions 23.0.0 through 25.1.4. Specifically, the Vaadin Flow Plugin Base, Vaadin Flow Maven Plugin, and Vaadin Flow Gradle Plugin are vulnerable. The vulnerable ranges are 23.0.0‑23.6.9, 24.0.0‑24.10.3, and 25.0.0‑25.1.4; the problem is fixed starting at 23.6.10, 24.10.4, and 25.1.5 respectively, which are supported releases.

Risk and Exploitability

The CVSS score of 1.6 indicates a low severity from a technical standpoint. The EPSS score is < 1%, suggesting a low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, indicating limited known commercial exploitation. The attack vector is likely internal or within continuous integration pipelines, where a build failure could inadvertently leak sensitive data to anyone with access to the logs. The flaw requires a failed frontend build to trigger the log write, so an attacker would need to cause a build failure or already have access to the logs of a failed build.

Generated by OpenCVE AI on May 21, 2026 at 19:21 UTC.

Remediation

Vendor Solution

Users of affected versions should apply the following mitigation or upgrade.

OpenCVE Recommended Actions

  • Upgrade Vaadin Flow Plugin Base to version 23.6.10 or newer, 24.10.4 or newer, or 25.1.5 or newer.
  • Upgrade Vaadin Flow Maven Plugin to version 23.6.10 or newer, 24.10.4 or newer, or 25.1.5 or newer.
  • Upgrade Vaadin Flow Gradle Plugin to version 24.10.4 or newer, or 25.1.5 or newer.
  • If upgrading immediately is not possible, remove or mask environment variable logging in CI pipelines and delete any logs that contain sensitive data from past build failures.

Generated by OpenCVE AI on May 21, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j8mx-j73w-9mxw Vaadin Build Plugins is Affected by a Possible Information Disclosure Vulnerability
History

Thu, 21 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Vaadin 23.0.0 - 23.6.9 Vaadin 24.0.0 - 24.10.3 Vaadin 25.0.0 - 25.1.4 Mitigation Upgrade to 23.6.10 Upgrade to 24.10.4 or newer Upgrade to 25.1.5 or newer Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version. ArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-plugin-base24.0.0 - 24.10.3≥24.10.4com.vaadin:flow-plugin-base25.0.0 - 25.1.4≥25.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.10.3≥24.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.1.4≥25.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.10.3≥24.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.1.4≥25.1.5 A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Vaadin 23.0.0 - 23.6.9 Vaadin 24.0.0 - 24.9.16 Vaadin 24.10.0 - 24.10.3 Vaadin 25.0.0 - 25.0.10 Vaadin 25.1.0 - 25.1.4 Mitigation Upgrade to 23.6.10 Upgrade to 24.9.17 or newer Upgrade to 24.10.4 or newer Upgrade to 25.0.11 or newer Upgrade to 25.1.5 or newer Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version. ArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-plugin-base24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-plugin-base24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-plugin-base25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-plugin-base25.1.0 - 25.1.4≥25.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-maven-plugin24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-maven-plugin25.1.0 - 25.1.4≥25.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-gradle-plugin24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-gradle-plugin25.1.0 - 25.1.4≥25.1.5

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Vaadin
Vaadin flow
Vendors & Products Vaadin
Vaadin flow

Tue, 19 May 2026 11:30:00 +0000

Type Values Removed Values Added
Description A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Vaadin 23.0.0 - 23.6.9 Vaadin 24.0.0 - 24.10.3 Vaadin 25.0.0 - 25.1.4 Mitigation Upgrade to 23.6.10 Upgrade to 24.10.4 or newer Upgrade to 25.1.5 or newer Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version. ArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-plugin-base24.0.0 - 24.10.3≥24.10.4com.vaadin:flow-plugin-base25.0.0 - 25.1.4≥25.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.10.3≥24.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.1.4≥25.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.10.3≥24.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.1.4≥25.1.5
Title Possible information disclosure of environment variables in Vaadin Build Plugins via Failed Frontend Build
Weaknesses CWE-209
References
Metrics cvssV4_0

{'score': 1.6, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/S:N/AU:N/R:A/V:C/RE:L/U:Green'}

Subscriptions

Vaadin Flow
cve-icon MITRE

Status: PUBLISHED

Assigner: Vaadin

Published:

Updated: 2026-05-21T18:09:14.990Z

Reserved: 2026-05-05T11:51:33.170Z

Link: CVE-2026-7860

cve-icon Vulnrichment

Updated: 2026-05-19T13:42:34.487Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-19T12:16:19.960

Modified: 2026-05-21T19:16:55.610

Link: CVE-2026-7860

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T19:30:17Z

Weaknesses
  • CWE-209

    Generation of Error Message Containing Sensitive Information