CVE-2026-7860: CWE-209 Generation of Error Message Containing Sensitive Information in vaadin flow
CVE-2026-7860 is an information disclosure vulnerability in the Vaadin Maven and Gradle plugins used in the Vaadin Flow framework. When the frontend build process fails with a non-zero exit status, the full set of environment variables—including potentially sensitive credentials—are exposed in build logs and archived artifacts. This can lead to unintended leakage of secrets in CI environments. The issue affects Vaadin versions 23. 0. 0 through 23. 6. 9, 24. 0. 0 through 24.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-7860) involves the Vaadin Maven and Gradle plugins exposing all environment variables in build logs if the frontend build process exits with an error. Since environment variables often contain sensitive information such as credentials or secrets, this exposure can lead to information disclosure. The vulnerability affects multiple Vaadin Flow plugin versions across major release lines 23, 24, and 25. The vendor has released fixed versions that prevent this leakage by not exposing environment variables in error logs. The CVSS 4.0 base score is 1.6, indicating low severity, primarily due to the requirement of local access and high attack complexity.
Potential Impact
The impact is information disclosure of environment variables during failed frontend builds in CI pipelines using affected Vaadin plugin versions. This can expose secrets such as credentials in clear text within build logs and archived artifacts. There is no indication of remote exploitation or direct code execution. The severity is low, reflecting limited attack vector and complexity.
Mitigation Recommendations
A fix is available. Users should upgrade to Vaadin Flow plugin versions 23.6.11 or later, 24.10.4 or later, or 25.1.5 or later to address this vulnerability. No other mitigations are specified or required once upgraded. Versions 10-13 and 15-22 are unsupported and users should migrate to supported versions with fixes.
CVE-2026-7860: CWE-209 Generation of Error Message Containing Sensitive Information in vaadin flow
Description
CVE-2026-7860 is an information disclosure vulnerability in the Vaadin Maven and Gradle plugins used in the Vaadin Flow framework. When the frontend build process fails with a non-zero exit status, the full set of environment variables—including potentially sensitive credentials—are exposed in build logs and archived artifacts. This can lead to unintended leakage of secrets in CI environments. The issue affects Vaadin versions 23. 0. 0 through 23. 6. 9, 24. 0. 0 through 24.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-7860) involves the Vaadin Maven and Gradle plugins exposing all environment variables in build logs if the frontend build process exits with an error. Since environment variables often contain sensitive information such as credentials or secrets, this exposure can lead to information disclosure. The vulnerability affects multiple Vaadin Flow plugin versions across major release lines 23, 24, and 25. The vendor has released fixed versions that prevent this leakage by not exposing environment variables in error logs. The CVSS 4.0 base score is 1.6, indicating low severity, primarily due to the requirement of local access and high attack complexity.
Potential Impact
The impact is information disclosure of environment variables during failed frontend builds in CI pipelines using affected Vaadin plugin versions. This can expose secrets such as credentials in clear text within build logs and archived artifacts. There is no indication of remote exploitation or direct code execution. The severity is low, reflecting limited attack vector and complexity.
Mitigation Recommendations
A fix is available. Users should upgrade to Vaadin Flow plugin versions 23.6.11 or later, 24.10.4 or later, or 25.1.5 or later to address this vulnerability. No other mitigations are specified or required once upgraded. Versions 10-13 and 15-22 are unsupported and users should migrate to supported versions with fixes.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Vaadin
- Date Reserved
- 2026-05-05T11:51:33.170Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0c47dcec166c07b097b89a
Added to database: 5/19/2026, 11:22:04 AM
Last enriched: 5/19/2026, 11:36:56 AM
Last updated: 5/19/2026, 1:40:39 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.