Medium severity6.0NVD Advisory· Published Apr 15, 2026· Updated Apr 23, 2026
CVE-2026-40091
CVE-2026-40091
Description
SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI. This issue has been fixed in version 1.51.1. If users are unable to immediately upgrade, they can work around this issue by changing the log level to warn or error.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/authzed/spicedbGo | >= 1.49.0, < 1.51.1 | 1.51.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-jf4f-rr2c-9m58ghsaADVISORY
- github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-40091ghsaADVISORY
- github.com/authzed/spicedb/releases/tag/v1.51.1nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.