Vulnerability Description
SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI. This issue has been fixed in version 1.51.1. If users are unable to immediately upgrade, they can work around this issue by changing the log level to warn or error.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Authzed | Spicedb | >= 1.49.0, < 1.51.1 |
Related Weaknesses (CWE)
References
- https://github.com/authzed/spicedb/releases/tag/v1.51.1ProductRelease Notes
- https://github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58Vendor Advisory
FAQ
What is CVE-2026-40091?
CVE-2026-40091 is a vulnerability with a CVSS score of 6.0 (MEDIUM). SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup "...
How severe is CVE-2026-40091?
CVE-2026-40091 has been rated MEDIUM with a CVSS base score of 6.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-40091?
Check the references section above for vendor advisories and patch information. Affected products include: Authzed Spicedb.