CVE-2026-25211: Llama Stack exposes secret in initialization log

January 30, 2026

Llama Stack (aka llama-stack) before 0.4.0rc3 does not censor the pgvector password in the initialization log.

References

github.com/advisories/GHSA-xmfj-7pp5-fxr6
github.com/llamastack/llama-stack
github.com/llamastack/llama-stack/commit/b709bd77b6c1fad68a30a4888baa6f2337eaef6f
github.com/llamastack/llama-stack/compare/v0.4.0rc2...v0.4.0rc3
nvd.nist.gov/vuln/detail/CVE-2026-25211

Code Behaviors & Features

Detect and mitigate CVE-2026-25211 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →