Medium severity6.0NVD Advisory· Published Apr 15, 2026· Updated Apr 23, 2026
CVE-2026-40091
CVE-2026-40091
Description
SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI. This issue has been fixed in version 1.51.1. If users are unable to immediately upgrade, they can work around this issue by changing the log level to warn or error.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/authzed/spicedbGo | >= 1.49.0, < 1.51.1 | 1.51.1 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-jf4f-rr2c-9m58ghsaADVISORY
- github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-40091ghsaADVISORY
- github.com/authzed/spicedb/releases/tag/v1.51.1nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.