CVE Catalog

CVE-2026-45581

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.01%

2th percentile - higher than 2% of all known CVEs

Summary

In versions from 2.3.1 to before 2.5.10, when deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server logs include the TLS private key password in plaintext. This allows an attacker with access to the logs to recover the password.

Risk Assessment

Attackers could use the exposed password to impersonate the chaincode server, potentially leading to serious security breaches in the system.

Recommendation

It is recommended to upgrade to version 2.5.10 or later to mitigate this vulnerability and to restrict access to the chaincode server logs.

Original NVD description (English source)

fabric-chaincode-java is a Java based implementation of Hyperledger Fabric chaincode shim APIs. From version 2.3.1 to before version 2.5.10, when chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in plaintext. An attacker with access to the chaincode server logs could recover the TLS private key password. If the attacker can also obtain the TLS private key, they could impersonate the chaincode server. This issue has been patched in version 2.5.10.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS