CVE-2026-40091: CWE-532: Insertion of Sensitive Information into Log File in authzed spicedb
CVE-2026-40091 is a vulnerability in authzed's SpiceDB versions 1. 49. 0 through 1. 51. 0 where the startup configuration log at info level includes the full datastore DSN with the plaintext password. This sensitive information exposure occurs in the DatastoreConfig. URI field. The issue is fixed in version 1. 51. 1.
AI Analysis
Technical Summary
SpiceDB, an open source database for managing application permissions, had a vulnerability (CVE-2026-40091) in versions 1.49.0 to 1.51.0 where the startup configuration log at info level exposed the full datastore connection string including plaintext passwords. This is an instance of CWE-532 (Insertion of Sensitive Information into Log File). The vulnerability allows sensitive credentials to be recorded in logs, potentially exposing them to unauthorized users with log access. The issue was resolved in version 1.51.1. As a temporary workaround, changing the log level to warn or error prevents the sensitive information from being logged during startup.
Potential Impact
The vulnerability exposes plaintext datastore passwords in logs when running SpiceDB at info log level, potentially allowing attackers or unauthorized users with access to logs to obtain sensitive credentials. This can lead to unauthorized access to the datastore. The CVSS score is 6.0 (medium severity) with local attack vector, low complexity, high privileges required, no user interaction, and high confidentiality impact but no integrity or availability impact.
Mitigation Recommendations
Upgrade SpiceDB to version 1.51.1 or later where this issue is fixed. If immediate upgrade is not possible, change the log level from info to warn or error to prevent logging sensitive datastore credentials during startup.
CVE-2026-40091: CWE-532: Insertion of Sensitive Information into Log File in authzed spicedb
Description
CVE-2026-40091 is a vulnerability in authzed's SpiceDB versions 1. 49. 0 through 1. 51. 0 where the startup configuration log at info level includes the full datastore DSN with the plaintext password. This sensitive information exposure occurs in the DatastoreConfig. URI field. The issue is fixed in version 1. 51. 1.
CVSS v3.1
Score 6.0medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SpiceDB, an open source database for managing application permissions, had a vulnerability (CVE-2026-40091) in versions 1.49.0 to 1.51.0 where the startup configuration log at info level exposed the full datastore connection string including plaintext passwords. This is an instance of CWE-532 (Insertion of Sensitive Information into Log File). The vulnerability allows sensitive credentials to be recorded in logs, potentially exposing them to unauthorized users with log access. The issue was resolved in version 1.51.1. As a temporary workaround, changing the log level to warn or error prevents the sensitive information from being logged during startup.
Potential Impact
The vulnerability exposes plaintext datastore passwords in logs when running SpiceDB at info log level, potentially allowing attackers or unauthorized users with access to logs to obtain sensitive credentials. This can lead to unauthorized access to the datastore. The CVSS score is 6.0 (medium severity) with local attack vector, low complexity, high privileges required, no user interaction, and high confidentiality impact but no integrity or availability impact.
Mitigation Recommendations
Upgrade SpiceDB to version 1.51.1 or later where this issue is fixed. If immediate upgrade is not possible, change the log level from info to warn or error to prevent logging sensitive datastore credentials during startup.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-09T00:39:12.206Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ded8f482d89c981f22edd3
Added to database: 4/15/2026, 12:16:52 AM
Last enriched: 4/22/2026, 6:50:32 AM
Last updated: 5/29/2026, 6:26:40 PM
Views: 84
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.