CVE-2026-40091: SpiceDB's SPICEDB_DATASTORE_CONN_URI is leaked on startup logs

April 14, 2026 (updated April 24, 2026)

When SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI.

References

github.com/advisories/GHSA-jf4f-rr2c-9m58
github.com/authzed/spicedb
github.com/authzed/spicedb/releases/tag/v1.51.1
github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58
nvd.nist.gov/vuln/detail/CVE-2026-40091

Code Behaviors & Features

Detect and mitigate CVE-2026-40091 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →