What is GHSA-wg5x-3g47-v38r?

GHSA-wg5x-3g47-v38r is a security advisory published by GitHub Security Advisories with Medium severity. fabric-chaincode-java: TLS Private Key Password Disclosed in INFO Startup Logs in Chaincode-as-a-Service Mode

Which CVE IDs does GHSA-wg5x-3g47-v38r cover?

GHSA-wg5x-3g47-v38r covers the following CVE IDs: CVE-2026-45581. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-wg5x-3g47-v38r?

GHSA-wg5x-3g47-v38r has a CVSS v3 base score of 5.5, published by GitHub Security Advisories.

Which products are affected by GHSA-wg5x-3g47-v38r?

GHSA-wg5x-3g47-v38r affects 1 product, including: maven/org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim:\u003e= 2.3.1, \u003c= 2.5.9.

GHSA-wg5x-3g47-v38rMediumCVSS 5.5

fabric-chaincode-java: TLS Private Key Password Disclosed in INFO Startup Logs in Chaincode-as-a-Service Mode

Vendor

GitHub Security Advisories

Published

May 19, 2026

Last Modified

May 19, 2026

🔗 CVE IDs covered (1)

CVE-2026-45581 →

📋 Description

When chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in plaintext. An attacker with access to the chaincode server logs could recover the TLS private key password. If the attacker can also obtain the TLS private key, they could impersonate the chaincode server. ### Recommendation - Update to the fixed version of the chaincode runtime. - Redact or remove existing logs that contain the TLS private key password. - Change the TLS private key password. ### Mitigation Impacted deployments can mitigate the vulnerability by restricting the logging level to WARNING or higher so that INFO level logs are not written.

🎯 Affected products1

maven/org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim:>= 2.3.1, <= 2.5.9

🔗 CVE IDs covered (1)

📋 Description

🎯 Affected products1

🔗 References (2)