Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1123

NIXPKGS-2026-1123
published on
Permalink CVE-2026-40091
6.0 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 week, 6 days ago by @LeSuisse Activity log
  • Created suggestion 1 week, 6 days ago
  • @LeSuisse ignored
    3 packages
    • tree-sitter-grammars.tree-sitter-spicedb
    • python314Packages.tree-sitter-grammars.tree-sitter-spicedb
    • python313Packages.tree-sitter-grammars.tree-sitter-spicedb
    1 week, 6 days ago
  • @LeSuisse accepted 1 week, 6 days ago
  • @LeSuisse published on GitHub 1 week, 6 days ago
SpiceDB: SPICEDB_DATASTORE_CONN_URI is leaked on startup logs

SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI. This issue has been fixed in version 1.51.1. If users are unable to immediately upgrade, they can work around this issue by changing the log level to warn or error.

Affected products

spicedb
  • ==>= 1.49.0, < 1.51.1

Matching in nixpkgs

Ignored packages (3)

Package maintainers