What is GHSA-jf4f-rr2c-9m58?

GHSA-jf4f-rr2c-9m58 is a security advisory published by GitHub Security Advisories with Medium severity. SpiceDB's SPICEDB_DATASTORE_CONN_URI is leaked on startup logs

Which CVE IDs does GHSA-jf4f-rr2c-9m58 cover?

GHSA-jf4f-rr2c-9m58 covers the following CVE IDs: CVE-2026-40091. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-jf4f-rr2c-9m58?

GHSA-jf4f-rr2c-9m58 has a CVSS v3 base score of 6.0, published by GitHub Security Advisories.

Which products are affected by GHSA-jf4f-rr2c-9m58?

GHSA-jf4f-rr2c-9m58 affects 1 product, including: go/github.com/authzed/spicedb:\u003e= 1.49.0, \u003c= 1.51.0.

GHSA-jf4f-rr2c-9m58MediumCVSS 6.0

SpiceDB's SPICEDB_DATASTORE_CONN_URI is leaked on startup logs

Vendor

GitHub Security Advisories

Published

April 14, 2026

Last Modified

May 28, 2026

🔗 CVE IDs covered (1)

CVE-2026-40091 →

📋 Description

Impact

When SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI.

Patches

v1.51.1

Workarounds

Change the log level to warn or error.

🎯 Affected products1

go/github.com/authzed/spicedb:>= 1.49.0, <= 1.51.0

🔗 References (4)

https://github.com/authzed/spicedb/security/advisories/GHSA-jf4f-rr2c-9m58
https://nvd.nist.gov/vuln/detail/CVE-2026-40091
https://github.com/authzed/spicedb/releases/tag/v1.51.1
https://github.com/advisories/GHSA-jf4f-rr2c-9m58