CVE-2026-40091: CWE-532: Insertion of Sensitive Information into Log File in authzed spicedb
CVE-2026-40091 is a vulnerability in authzed's SpiceDB versions 1. 49. 0 through 1. 51. 0 where the startup configuration log at info level includes the full datastore DSN with the plaintext password. This sensitive information exposure occurs in the DatastoreConfig. URI field. The issue is fixed in version 1. 51. 1.
AI Analysis
Technical Summary
SpiceDB, an open source database for managing application permissions, improperly logs sensitive information during startup when configured with log level info. Specifically, the full datastore Data Source Name (DSN), including the plaintext password, is written to the startup configuration log (DatastoreConfig.URI) in versions 1.49.0 through 1.51.0. This exposure of credentials in logs constitutes CWE-532 (Insertion of Sensitive Information into Log File). The vulnerability has been resolved in version 1.51.1. As a workaround, users can reduce the log verbosity to warn or error levels to prevent logging the sensitive DSN information until they can upgrade.
Potential Impact
The vulnerability exposes plaintext datastore passwords in logs during startup, which could lead to unauthorized access if log files are accessed by attackers or unauthorized personnel. The CVSS score of 6.0 (medium severity) reflects that exploitation requires local access with high privileges (AV:L/PR:H) but can result in complete confidentiality compromise of the datastore credentials. There is no indication of known exploits in the wild.
Mitigation Recommendations
Upgrade SpiceDB to version 1.51.1 or later, where this issue is fixed. If immediate upgrade is not possible, change the log level from info to warn or error to prevent logging sensitive datastore credentials. No other specific mitigations are indicated.
CVE-2026-40091: CWE-532: Insertion of Sensitive Information into Log File in authzed spicedb
Description
CVE-2026-40091 is a vulnerability in authzed's SpiceDB versions 1. 49. 0 through 1. 51. 0 where the startup configuration log at info level includes the full datastore DSN with the plaintext password. This sensitive information exposure occurs in the DatastoreConfig. URI field. The issue is fixed in version 1. 51. 1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SpiceDB, an open source database for managing application permissions, improperly logs sensitive information during startup when configured with log level info. Specifically, the full datastore Data Source Name (DSN), including the plaintext password, is written to the startup configuration log (DatastoreConfig.URI) in versions 1.49.0 through 1.51.0. This exposure of credentials in logs constitutes CWE-532 (Insertion of Sensitive Information into Log File). The vulnerability has been resolved in version 1.51.1. As a workaround, users can reduce the log verbosity to warn or error levels to prevent logging the sensitive DSN information until they can upgrade.
Potential Impact
The vulnerability exposes plaintext datastore passwords in logs during startup, which could lead to unauthorized access if log files are accessed by attackers or unauthorized personnel. The CVSS score of 6.0 (medium severity) reflects that exploitation requires local access with high privileges (AV:L/PR:H) but can result in complete confidentiality compromise of the datastore credentials. There is no indication of known exploits in the wild.
Mitigation Recommendations
Upgrade SpiceDB to version 1.51.1 or later, where this issue is fixed. If immediate upgrade is not possible, change the log level from info to warn or error to prevent logging sensitive datastore credentials. No other specific mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-09T00:39:12.206Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ded8f482d89c981f22edd3
Added to database: 4/15/2026, 12:16:52 AM
Last enriched: 4/15/2026, 12:31:58 AM
Last updated: 4/15/2026, 2:06:30 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.