5 matches found
CVE-2026-40091
SpiceDB 1.49.0–1.51.0 logs startup configuration with the full datastore DSN (DatastoreConfig.URI), including plaintext password, when the log level is info. This exposes credentials in startup logs. The issue is fixed in 1.51.1. If upgrading is not possible, the recommended workaround is to set ...
SpiceDB's SPICEDB_DATASTORE_CONN_URI is leaked on startup logs
Impact When SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI. Patches v1.51.1 Workarounds Change the log level to warn or error...
PT-2026-32969
Name of the Vulnerable Software and Affected Versions SpiceDB versions 1.49.0 through 1.51.0 Description When the system starts with the log level set to info, the startup 'configuration' log exposes the full datastore DSN, including the plaintext password, within the DatastoreConfig.URI variable...
CVE-2023-46255
SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0-rc1, when the provided datastore URI is malformed e.g. by having a password which contains : the full URI including the provided password is...
CVE-2023-46255 `SPICEDB_DATASTORE_CONN_URI` is leaked when URI cannot be parsed
SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0-rc1, when the provided datastore URI is malformed e.g. by having a password which contains : the full URI including the provided password is...