CVE-2026-40091 MEDIUM

CVE-2026-40091: SpiceDB: SPICEDB_DATASTORE_CONN_URI is leaked on startup logs

Vendor Authzed
Product spicedb
Weakness CWE-532 · Sensitive info in logs
Published April 14, 2026
Last update April 15, 2026

CVSS base score

6.0/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI. This issue has been fixed in version 1.51.1. If users are unable to immediately upgrade, they can work around this issue by changing the log level to warn or error.

Key dates

02Disclosure timeline

April 14, 2026 CVE published
April 15, 2026 Record updated