Information Disclosure in SpiceDB by Authzed
CVE-2026-40091

6MEDIUM

Key Information:

Vendor: Authzed
Status: Spicedb
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-40091?

In SpiceDB versions 1.49.0 through 1.51.0, an information disclosure vulnerability allows the full datastore Data Source Name (DSN), including plaintext passwords, to be logged during startup when the log level is set to info. This exposure can lead to unauthorized access if the log data is accessed by malicious actors. The issue has been resolved in version 1.51.1, but users unable to upgrade immediately are advised to mitigate the risk by adjusting the log level to warn or error.

Affected Version(s)

spicedb >= 1.49.0, < 1.51.1

References

https://github.com/authzed/spicedb/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/authzed/spicedb/releases/tag/v1.51.1

x_refsource_MISC

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40091 Data

JSON