Vulnerability-Lookup

CVE-2026-7860 (GCVE-0-2026-7860)

Vulnerability from cvelistv5 – Published: 2026-05-19 11:01 – Updated: 2026-05-21 18:09

Title

Possible information disclosure of environment variables in Vaadin Build Plugins via Failed Frontend Build

Summary

A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Vaadin 23.0.0 - 23.6.9 Vaadin 24.0.0 - 24.9.16 Vaadin 24.10.0 - 24.10.3 Vaadin 25.0.0 - 25.0.10 Vaadin 25.1.0 - 25.1.4 Mitigation Upgrade to 23.6.10 Upgrade to 24.9.17 or newer Upgrade to 24.10.4 or newer Upgrade to 25.0.11 or newer Upgrade to 25.1.5 or newer Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version. ArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-plugin-base24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-plugin-base24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-plugin-base25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-plugin-base25.1.0 - 25.1.4≥25.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-maven-plugin24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-maven-plugin25.1.0 - 25.1.4≥25.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-gradle-plugin24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-gradle-plugin25.1.0 - 25.1.4≥25.1.5

Severity ?

1.6 (Low)


                        
                          CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/S:N/AU:N/R:A/V:C/RE:L/U:Green

CWE

CWE-209 - Generation of Error Message Containing Sensitive Information

Assigner

Vaadin

References

2 references

URL	Tags
https://vaadin.com/security/cve-2026-7860
https://github.com/vaadin/flow/pull/24219

Impacted products

3 products

Vendor	Product	Version
vaadin	flow	Affected: 23.0.0 , ≤ 23.6.10 (maven) Affected: 24.0.0 , ≤ 24.9.17 (maven) Affected: 24.10.0 , ≤ 24.10.3 (maven) Affected: 25.0.0 , ≤ 25.0.11 (maven) Affected: 25.1.0 , ≤ 25.1.4 (maven)
vaadin	flow	Affected: 23.0.0 , ≤ 23.6.10 (maven) Affected: 24.0.0 , ≤ 24.9.17 (maven) Affected: 24.10.0 , ≤ 24.10.3 (maven) Affected: 25.0.0 , ≤ 25.0.11 (maven) Affected: 25.1.0 , ≤ 25.1.4 (maven)
vaadin	flow	Affected: 24.0.0 , ≤ 24.9.17 (maven) Affected: 24.10.0 , ≤ 24.10.3 (maven) Affected: 25.0.0 , ≤ 25.0.11 (maven) Affected: 25.1.0 , ≤ 25.1.4 (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-7860",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-19T13:42:28.555116Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-19T13:42:39.109Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "com.vaadin:flow-plugin-base",
          "product": "flow",
          "repo": "https://github.com/vaadin/flow",
          "vendor": "vaadin",
          "versions": [
            {
              "lessThanOrEqual": "23.6.10",
              "status": "affected",
              "version": "23.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.9.17",
              "status": "affected",
              "version": "24.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.10.3",
              "status": "affected",
              "version": "24.10.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "25.0.11",
              "status": "affected",
              "version": "25.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "25.1.4",
              "status": "affected",
              "version": "25.1.0",
              "versionType": "maven"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "com.vaadin:flow-maven-plugin",
          "product": "flow",
          "repo": "https://github.com/vaadin/flow",
          "vendor": "vaadin",
          "versions": [
            {
              "lessThanOrEqual": "23.6.10",
              "status": "affected",
              "version": "23.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.9.17",
              "status": "affected",
              "version": "24.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.10.3",
              "status": "affected",
              "version": "24.10.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "25.0.11",
              "status": "affected",
              "version": "25.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "25.1.4",
              "status": "affected",
              "version": "25.1.0",
              "versionType": "maven"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "com.vaadin:flow-gradle-plugin",
          "product": "flow",
          "repo": "https://github.com/vaadin/flow",
          "vendor": "vaadin",
          "versions": [
            {
              "lessThanOrEqual": "24.9.17",
              "status": "affected",
              "version": "24.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.10.3",
              "status": "affected",
              "version": "24.10.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "25.0.11",
              "status": "affected",
              "version": "25.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "25.1.4",
              "status": "affected",
              "version": "25.1.0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan\u003eA possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003eUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\u003cbr\u003e\u003cbr\u003eProduct version\u003cbr\u003eVaadin 23.0.0 - 23.6.9\u003cbr\u003eVaadin 24.0.0 - 24.9.16\u003cbr\u003eVaadin 24.10.0 - 24.10.3\u003cbr\u003eVaadin 25.0.0 - 25.0.10\u003cbr\u003eVaadin 25.1.0 - 25.1.4\u003cbr\u003e\u003cbr\u003eMitigation\u003cbr\u003eUpgrade to 23.6.10\u003cbr\u003eUpgrade to 24.9.17 or newer\u003cbr\u003eUpgrade to 24.10.4 or newer\u003cbr\u003eUpgrade to 25.0.11 or newer\u003cbr\u003eUpgrade to 25.1.5 or newer\u003cbr\u003e\u003cbr\u003ePlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version.\u003cbr\u003e\u003cbr\u003eArtifacts\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMaven coordinates\u003c/td\u003e\u003ctd\u003eVulnerable versions\u003c/td\u003e\u003ctd\u003eFixed version\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e23.0.0 - 23.6.10\u003c/td\u003e\u003ctd\u003e\u226523.6.11\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.9.17\u003c/td\u003e\u003ctd\u003e\u226524.9.18\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e24.10.0 - 24.10.3\u003c/td\u003e\u003ctd\u003e\u226524.10.4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e25.0.0 - 25.0.11\u003c/td\u003e\u003ctd\u003e\u226525.0.12\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e25.1.0 - 25.1.4\u003c/td\u003e\u003ctd\u003e\u226525.1.5\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e23.0.0 - 23.6.10\u003c/td\u003e\u003ctd\u003e\u226523.6.11\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.9.17\u003c/td\u003e\u003ctd\u003e\u226524.9.18\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e24.10.0 - 24.10.3\u003c/td\u003e\u003ctd\u003e\u226524.10.4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e25.0.0 - 25.0.11\u003c/td\u003e\u003ctd\u003e\u226525.0.12\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e25.1.0 - 25.1.4\u003c/td\u003e\u003ctd\u003e\u226525.1.5\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-gradle-plugin\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.9.17\u003c/td\u003e\u003ctd\u003e\u226524.9.18\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-gradle-plugin\u003c/td\u003e\u003ctd\u003e24.10.0 - 24.10.3\u003c/td\u003e\u003ctd\u003e\u226524.10.4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-gradle-plugin\u003c/td\u003e\u003ctd\u003e25.0.0 - 25.0.11\u003c/td\u003e\u003ctd\u003e\u226525.0.12\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-gradle-plugin\u003c/td\u003e\u003ctd\u003e25.1.0 - 25.1.4\u003c/td\u003e\u003ctd\u003e\u226525.1.5\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/span\u003e"
            }
          ],
          "value": "A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts.\n\n\nUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\n\nProduct version\nVaadin 23.0.0 - 23.6.9\nVaadin 24.0.0 - 24.9.16\nVaadin 24.10.0 - 24.10.3\nVaadin 25.0.0 - 25.0.10\nVaadin 25.1.0 - 25.1.4\n\nMitigation\nUpgrade to 23.6.10\nUpgrade to 24.9.17 or newer\nUpgrade to 24.10.4 or newer\nUpgrade to 25.0.11 or newer\nUpgrade to 25.1.5 or newer\n\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version.\n\nArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10\u226523.6.11com.vaadin:flow-plugin-base24.0.0 - 24.9.17\u226524.9.18com.vaadin:flow-plugin-base24.10.0 - 24.10.3\u226524.10.4com.vaadin:flow-plugin-base25.0.0 - 25.0.11\u226525.0.12com.vaadin:flow-plugin-base25.1.0 - 25.1.4\u226525.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10\u226523.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.9.17\u226524.9.18com.vaadin:flow-maven-plugin24.10.0 - 24.10.3\u226524.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.0.11\u226525.0.12com.vaadin:flow-maven-plugin25.1.0 - 25.1.4\u226525.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.9.17\u226524.9.18com.vaadin:flow-gradle-plugin24.10.0 - 24.10.3\u226524.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.0.11\u226525.0.12com.vaadin:flow-gradle-plugin25.1.0 - 25.1.4\u226525.1.5"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-169",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-169 Footprinting"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "AUTOMATIC",
            "Safety": "NEGLIGIBLE",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 1.6,
            "baseSeverity": "LOW",
            "exploitMaturity": "UNREPORTED",
            "privilegesRequired": "LOW",
            "providerUrgency": "GREEN",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "CONCENTRATED",
            "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/S:N/AU:N/R:A/V:C/RE:L/U:Green",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-209",
              "description": "CWE-209 Generation of Error Message Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-21T18:09:14.990Z",
        "orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
        "shortName": "Vaadin"
      },
      "references": [
        {
          "url": "https://vaadin.com/security/cve-2026-7860"
        },
        {
          "url": "https://github.com/vaadin/flow/pull/24219"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eUsers of affected versions should apply the following mitigation or upgrade.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e"
            }
          ],
          "value": "Users of affected versions should apply the following mitigation or upgrade."
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Possible information disclosure of environment variables in Vaadin Build Plugins via Failed Frontend Build",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
    "assignerShortName": "Vaadin",
    "cveId": "CVE-2026-7860",
    "datePublished": "2026-05-19T11:01:47.212Z",
    "dateReserved": "2026-05-05T11:51:33.170Z",
    "dateUpdated": "2026-05-21T18:09:14.990Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-7860",
      "date": "2026-05-24",
      "epss": "0.00014",
      "percentile": "0.02944"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-7860\",\"sourceIdentifier\":\"security@vaadin.com\",\"published\":\"2026-05-19T12:16:19.960\",\"lastModified\":\"2026-05-21T19:16:55.610\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts.\\n\\n\\nUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\\n\\nProduct version\\nVaadin 23.0.0 - 23.6.9\\nVaadin 24.0.0 - 24.9.16\\nVaadin 24.10.0 - 24.10.3\\nVaadin 25.0.0 - 25.0.10\\nVaadin 25.1.0 - 25.1.4\\n\\nMitigation\\nUpgrade to 23.6.10\\nUpgrade to 24.9.17 or newer\\nUpgrade to 24.10.4 or newer\\nUpgrade to 25.0.11 or newer\\nUpgrade to 25.1.5 or newer\\n\\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version.\\n\\nArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10\u226523.6.11com.vaadin:flow-plugin-base24.0.0 - 24.9.17\u226524.9.18com.vaadin:flow-plugin-base24.10.0 - 24.10.3\u226524.10.4com.vaadin:flow-plugin-base25.0.0 - 25.0.11\u226525.0.12com.vaadin:flow-plugin-base25.1.0 - 25.1.4\u226525.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10\u226523.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.9.17\u226524.9.18com.vaadin:flow-maven-plugin24.10.0 - 24.10.3\u226524.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.0.11\u226525.0.12com.vaadin:flow-maven-plugin25.1.0 - 25.1.4\u226525.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.9.17\u226524.9.18com.vaadin:flow-gradle-plugin24.10.0 - 24.10.3\u226524.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.0.11\u226525.0.12com.vaadin:flow-gradle-plugin25.1.0 - 25.1.4\u226525.1.5\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security@vaadin.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:C/RE:L/U:Green\",\"baseScore\":1.6,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"UNREPORTED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NEGLIGIBLE\",\"Automatable\":\"NO\",\"Recovery\":\"AUTOMATIC\",\"valueDensity\":\"CONCENTRATED\",\"vulnerabilityResponseEffort\":\"LOW\",\"providerUrgency\":\"GREEN\"}}]},\"weaknesses\":[{\"source\":\"security@vaadin.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-209\"}]}],\"references\":[{\"url\":\"https://github.com/vaadin/flow/pull/24219\",\"source\":\"security@vaadin.com\"},{\"url\":\"https://vaadin.com/security/cve-2026-7860\",\"source\":\"security@vaadin.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-7860\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-19T13:42:28.555116Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-19T13:42:34.487Z\"}}], \"cna\": {\"title\": \"Possible information disclosure of environment variables in Vaadin Build Plugins via Failed Frontend Build\", \"source\": {\"discovery\": \"INTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-169\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-169 Footprinting\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NEGLIGIBLE\", \"version\": \"4.0\", \"Recovery\": \"AUTOMATIC\", \"baseScore\": 1.6, \"Automatable\": \"NO\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"LOW\", \"valueDensity\": \"CONCENTRATED\", \"vectorString\": \"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/S:N/AU:N/R:A/V:C/RE:L/U:Green\", \"exploitMaturity\": \"UNREPORTED\", \"providerUrgency\": \"GREEN\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/vaadin/flow\", \"vendor\": \"vaadin\", \"product\": \"flow\", \"versions\": [{\"status\": \"affected\", \"version\": \"23.0.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"23.6.10\"}, {\"status\": \"affected\", \"version\": \"24.0.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"24.9.17\"}, {\"status\": \"affected\", \"version\": \"24.10.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"24.10.3\"}, {\"status\": \"affected\", \"version\": \"25.0.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"25.0.11\"}, {\"status\": \"affected\", \"version\": \"25.1.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"25.1.4\"}], \"packageName\": \"com.vaadin:flow-plugin-base\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://github.com/vaadin/flow\", \"vendor\": \"vaadin\", \"product\": \"flow\", \"versions\": [{\"status\": \"affected\", \"version\": \"23.0.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"23.6.10\"}, {\"status\": \"affected\", \"version\": \"24.0.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"24.9.17\"}, {\"status\": \"affected\", \"version\": \"24.10.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"24.10.3\"}, {\"status\": \"affected\", \"version\": \"25.0.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"25.0.11\"}, {\"status\": \"affected\", \"version\": \"25.1.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"25.1.4\"}], \"packageName\": \"com.vaadin:flow-maven-plugin\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://github.com/vaadin/flow\", \"vendor\": \"vaadin\", \"product\": \"flow\", \"versions\": [{\"status\": \"affected\", \"version\": \"24.0.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"24.9.17\"}, {\"status\": \"affected\", \"version\": \"24.10.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"24.10.3\"}, {\"status\": \"affected\", \"version\": \"25.0.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"25.0.11\"}, {\"status\": \"affected\", \"version\": \"25.1.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"25.1.4\"}], \"packageName\": \"com.vaadin:flow-gradle-plugin\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Users of affected versions should apply the following mitigation or upgrade.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cb\u003e\u003cspan style=\\\"background-color: transparent;\\\"\u003eUsers of affected versions should apply the following mitigation or upgrade.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://vaadin.com/security/cve-2026-7860\"}, {\"url\": \"https://github.com/vaadin/flow/pull/24219\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts.\\n\\n\\nUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\\n\\nProduct version\\nVaadin 23.0.0 - 23.6.9\\nVaadin 24.0.0 - 24.9.16\\nVaadin 24.10.0 - 24.10.3\\nVaadin 25.0.0 - 25.0.10\\nVaadin 25.1.0 - 25.1.4\\n\\nMitigation\\nUpgrade to 23.6.10\\nUpgrade to 24.9.17 or newer\\nUpgrade to 24.10.4 or newer\\nUpgrade to 25.0.11 or newer\\nUpgrade to 25.1.5 or newer\\n\\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version.\\n\\nArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10\\u226523.6.11com.vaadin:flow-plugin-base24.0.0 - 24.9.17\\u226524.9.18com.vaadin:flow-plugin-base24.10.0 - 24.10.3\\u226524.10.4com.vaadin:flow-plugin-base25.0.0 - 25.0.11\\u226525.0.12com.vaadin:flow-plugin-base25.1.0 - 25.1.4\\u226525.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10\\u226523.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.9.17\\u226524.9.18com.vaadin:flow-maven-plugin24.10.0 - 24.10.3\\u226524.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.0.11\\u226525.0.12com.vaadin:flow-maven-plugin25.1.0 - 25.1.4\\u226525.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.9.17\\u226524.9.18com.vaadin:flow-gradle-plugin24.10.0 - 24.10.3\\u226524.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.0.11\\u226525.0.12com.vaadin:flow-gradle-plugin25.1.0 - 25.1.4\\u226525.1.5\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan\u003eA possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003eUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\u003cbr\u003e\u003cbr\u003eProduct version\u003cbr\u003eVaadin 23.0.0 - 23.6.9\u003cbr\u003eVaadin 24.0.0 - 24.9.16\u003cbr\u003eVaadin 24.10.0 - 24.10.3\u003cbr\u003eVaadin 25.0.0 - 25.0.10\u003cbr\u003eVaadin 25.1.0 - 25.1.4\u003cbr\u003e\u003cbr\u003eMitigation\u003cbr\u003eUpgrade to 23.6.10\u003cbr\u003eUpgrade to 24.9.17 or newer\u003cbr\u003eUpgrade to 24.10.4 or newer\u003cbr\u003eUpgrade to 25.0.11 or newer\u003cbr\u003eUpgrade to 25.1.5 or newer\u003cbr\u003e\u003cbr\u003ePlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version.\u003cbr\u003e\u003cbr\u003eArtifacts\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMaven coordinates\u003c/td\u003e\u003ctd\u003eVulnerable versions\u003c/td\u003e\u003ctd\u003eFixed version\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e23.0.0 - 23.6.10\u003c/td\u003e\u003ctd\u003e\\u226523.6.11\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.9.17\u003c/td\u003e\u003ctd\u003e\\u226524.9.18\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e24.10.0 - 24.10.3\u003c/td\u003e\u003ctd\u003e\\u226524.10.4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e25.0.0 - 25.0.11\u003c/td\u003e\u003ctd\u003e\\u226525.0.12\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e25.1.0 - 25.1.4\u003c/td\u003e\u003ctd\u003e\\u226525.1.5\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e23.0.0 - 23.6.10\u003c/td\u003e\u003ctd\u003e\\u226523.6.11\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.9.17\u003c/td\u003e\u003ctd\u003e\\u226524.9.18\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e24.10.0 - 24.10.3\u003c/td\u003e\u003ctd\u003e\\u226524.10.4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e25.0.0 - 25.0.11\u003c/td\u003e\u003ctd\u003e\\u226525.0.12\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e25.1.0 - 25.1.4\u003c/td\u003e\u003ctd\u003e\\u226525.1.5\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-gradle-plugin\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.9.17\u003c/td\u003e\u003ctd\u003e\\u226524.9.18\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-gradle-plugin\u003c/td\u003e\u003ctd\u003e24.10.0 - 24.10.3\u003c/td\u003e\u003ctd\u003e\\u226524.10.4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-gradle-plugin\u003c/td\u003e\u003ctd\u003e25.0.0 - 25.0.11\u003c/td\u003e\u003ctd\u003e\\u226525.0.12\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-gradle-plugin\u003c/td\u003e\u003ctd\u003e25.1.0 - 25.1.4\u003c/td\u003e\u003ctd\u003e\\u226525.1.5\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-209\", \"description\": \"CWE-209 Generation of Error Message Containing Sensitive Information\"}]}], \"providerMetadata\": {\"orgId\": \"9e0f3122-90e9-42d5-93de-8c6b98deef7e\", \"shortName\": \"Vaadin\", \"dateUpdated\": \"2026-05-21T18:09:14.990Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-7860\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-21T18:09:14.990Z\", \"dateReserved\": \"2026-05-05T11:51:33.170Z\", \"assignerOrgId\": \"9e0f3122-90e9-42d5-93de-8c6b98deef7e\", \"datePublished\": \"2026-05-19T11:01:47.212Z\", \"assignerShortName\": \"Vaadin\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-7860

Vulnerability from fkie_nvd - Published: 2026-05-19 12:16 - Updated: 2026-05-21 19:16

Severity ?

1.6 (Low) - CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/S:N/AU:N/R:A/V:C/RE:L/U:Green

Summary

References

	URL	Tags
	security@vaadin.com	https://github.com/vaadin/flow/pull/24219
	security@vaadin.com	https://vaadin.com/security/cve-2026-7860

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts.\n\n\nUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\n\nProduct version\nVaadin 23.0.0 - 23.6.9\nVaadin 24.0.0 - 24.9.16\nVaadin 24.10.0 - 24.10.3\nVaadin 25.0.0 - 25.0.10\nVaadin 25.1.0 - 25.1.4\n\nMitigation\nUpgrade to 23.6.10\nUpgrade to 24.9.17 or newer\nUpgrade to 24.10.4 or newer\nUpgrade to 25.0.11 or newer\nUpgrade to 25.1.5 or newer\n\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version.\n\nArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10\u226523.6.11com.vaadin:flow-plugin-base24.0.0 - 24.9.17\u226524.9.18com.vaadin:flow-plugin-base24.10.0 - 24.10.3\u226524.10.4com.vaadin:flow-plugin-base25.0.0 - 25.0.11\u226525.0.12com.vaadin:flow-plugin-base25.1.0 - 25.1.4\u226525.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10\u226523.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.9.17\u226524.9.18com.vaadin:flow-maven-plugin24.10.0 - 24.10.3\u226524.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.0.11\u226525.0.12com.vaadin:flow-maven-plugin25.1.0 - 25.1.4\u226525.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.9.17\u226524.9.18com.vaadin:flow-gradle-plugin24.10.0 - 24.10.3\u226524.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.0.11\u226525.0.12com.vaadin:flow-gradle-plugin25.1.0 - 25.1.4\u226525.1.5"
    }
  ],
  "id": "CVE-2026-7860",
  "lastModified": "2026-05-21T19:16:55.610",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NO",
          "Recovery": "AUTOMATIC",
          "Safety": "NEGLIGIBLE",
          "attackComplexity": "HIGH",
          "attackRequirements": "PRESENT",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 1.6,
          "baseSeverity": "LOW",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "UNREPORTED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "GREEN",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "PASSIVE",
          "valueDensity": "CONCENTRATED",
          "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:C/RE:L/U:Green",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "LOW"
        },
        "source": "security@vaadin.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-19T12:16:19.960",
  "references": [
    {
      "source": "security@vaadin.com",
      "url": "https://github.com/vaadin/flow/pull/24219"
    },
    {
      "source": "security@vaadin.com",
      "url": "https://vaadin.com/security/cve-2026-7860"
    }
  ],
  "sourceIdentifier": "security@vaadin.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-209"
        }
      ],
      "source": "security@vaadin.com",
      "type": "Secondary"
    }
  ]
}

GHSA-J8MX-J73W-9MXW

Vulnerability from github – Published: 2026-05-19 12:31 – Updated: 2026-05-21 21:30

Details

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version Vaadin 23.0.0 - 23.6.9 Vaadin 24.0.0 - 24.10.3 Vaadin 25.0.0 - 25.1.4

Mitigation Upgrade to 23.6.10 Upgrade to 24.10.4 or newer Upgrade to 25.1.5 or newer

Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version.

ArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-plugin-base24.0.0 - 24.10.3≥24.10.4com.vaadin:flow-plugin-base25.0.0 - 25.1.4≥25.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.10.3≥24.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.1.4≥25.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.10.3≥24.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.1.4≥25.1.5

Severity ?

1.6 (Low)


                  
                    CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/S:N/AU:N/R:A/V:C/RE:L/U:Green

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-7860"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-19T12:16:19Z",
    "severity": "LOW"
  },
  "details": "A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts.\n\n\nUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\n\nProduct version\nVaadin 23.0.0 - 23.6.9\nVaadin 24.0.0 - 24.10.3\nVaadin 25.0.0 - 25.1.4\n\nMitigation\nUpgrade to 23.6.10\nUpgrade to 24.10.4 or newer\nUpgrade to 25.1.5 or newer\n\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version.\n\nArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10\u226523.6.11com.vaadin:flow-plugin-base24.0.0 - 24.10.3\u226524.10.4com.vaadin:flow-plugin-base25.0.0 - 25.1.4\u226525.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10\u226523.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.10.3\u226524.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.1.4\u226525.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.10.3\u226524.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.1.4\u226525.1.5",
  "id": "GHSA-j8mx-j73w-9mxw",
  "modified": "2026-05-21T21:30:31Z",
  "published": "2026-05-19T12:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7860"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vaadin/flow/pull/24219"
    },
    {
      "type": "WEB",
      "url": "https://vaadin.com/security/cve-2026-7860"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:C/RE:L/U:Green",
      "type": "CVSS_V4"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-7860 (GCVE-0-2026-7860)

FKIE_CVE-2026-7860

GHSA-J8MX-J73W-9MXW

Tags

Sightings

Nomenclature