SpiceDB's SPICEDB_DATASTORE_CONN_URI is leaked on startup logs

GHSA-jf4f-rr2c-9m58 · CVE-2026-40091

Published Apr 14, 2026 · Modified May 14, 2026

Description

Impact

When SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI.

Patches

v1.51.1

Workarounds

Change the log level to warn or error.

References

WEB https://github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-40091
PACKAGE https://github.com/authzed/spicedb
WEB https://github.com/authzed/spicedb/releases/tag/v1.51.1

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes