Detections
Analytics

SCA: security update for github.com/authzed/spicedb (GHSA-jf4f-rr2c-9m58)

medium Tenable Self-Hosted Container Security Plugin ID 440377

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - SpiceDB is an open source database system for creating and managing security-critical application
 permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup
 "configuration" log will include the full datastore DSN, including the plaintext password, inside
 DatastoreConfig.URI. This issue has been fixed in version 1.51.1. If users are unable to immediately
 upgrade, they can work around this issue by changing the log level to warn or error. (CVE-2026-40091)

Solution

Update the github.com/authzed/spicedb library and its related packages to version 1.51.1 or later.

See Also

https://github.com/advisories/GHSA-jf4f-rr2c-9m58

Plugin Details

Severity: Medium

ID: 440377

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 4/15/2026

Updated: 6/2/2026

Risk Information

VPR

Risk Factor: Low

Score: 3.6

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:L/AC:L/Au:M/C:C/I:N/A:N

CVSS Score Source: CVE-2026-40091

CVSS v3

Risk Factor: Medium

Base Score: 4.4

Temporal Score: 3.9

Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/14/2026

Vulnerability Publication Date: 4/14/2026

Reference Information

CVE: CVE-2026-40091

cwe: CWE-532