GHSA-jf4f-rr2c-9m58

Source

https://github.com/advisories/GHSA-jf4f-rr2c-9m58

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-jf4f-rr2c-9m58/GHSA-jf4f-rr2c-9m58.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-jf4f-rr2c-9m58

Aliases

CVE-2026-40091

Published

2026-04-14T22:33:06Z

Modified

2026-04-14T23:09:12.671281Z

Severity

6.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N CVSS Calculator

Summary

SpiceDB's SPICEDB_DATASTORE_CONN_URI is leaked on startup logs

Details

Impact

When SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI.

Patches

v1.51.1

Workarounds

Change the log level to warn or error.

Database specific

{
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-532"
    ],
    "nvd_published_at": null,
    "github_reviewed_at": "2026-04-14T22:33:06Z",
    "github_reviewed": true
}

References

Affected packages

Go / github.com/authzed/spicedb

Package

Name: github.com/authzed/spicedb; View open source insights on deps.dev
Purl: pkg:golang/github.com/authzed/spicedb

Affected ranges

Type: SEMVER
Events: Introduced

1.49.0

Fixed

1.51.1

Database specific

last_known_affected_version_range

"<= 1.51.0"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-jf4f-rr2c-9m58/GHSA-jf4f-rr2c-9m58.json"