Vulnerability-Lookup

GHSA-J8MX-J73W-9MXW

Vulnerability from github – Published: 2026-05-19 12:31 – Updated: 2026-06-04 18:38

Summary

Vaadin Build Plugins is Affected by a Possible Information Disclosure Vulnerability

Details

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version	Mitigation
`Vaadin 23.0.0 - 23.6.10`	`Upgrade to 23.6.11`
`Vaadin 24.0.0 - 24.9.17`	`Upgrade to 24.9.18`
`Vaadin 24.10.0 - 24.10.3`	`Upgrade to 24.10.4`
`Vaadin 25.0.0 - 25.0.11`	`Upgrade to 25.0.12`
`Vaadin 25.1.0 - 25.1.4`	`Upgrade to 25.1.5 or newer`

Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version.

Maven coordinates	Vulnerable version	Fixed version
`com.vaadin:flow-plugin-base`	`23.0.0 - 23.6.10`	`≥ 23.6.11`
`com.vaadin:flow-plugin-base`	`24.0.0 - 24.9.17`	`≥ 24.9.18`
`com.vaadin:flow-plugin-base`	`24.0.0 - 24.10.3`	`≥ 24.10.4`
`com.vaadin:flow-plugin-base`	`25.0.0 - 25.0.11`	`≥ 25.0.12`
`com.vaadin:flow-plugin-base`	`25.1.0 - 25.1.4`	`≥ 25.1.5`
`com.vaadin:flow-maven-plugin`	`23.0.0 - 23.6.10`	`≥ 23.6.11`
`com.vaadin:flow-maven-plugin`	`24.0.0 - 24.9.17`	`≥ 24.9.18`
`com.vaadin:flow-maven-plugin`	`24.0.0 - 24.10.3`	`≥ 24.10.4`
`com.vaadin:flow-maven-plugin`	`25.0.0 - 25.0.11`	`≥ 25.0.12`
`com.vaadin:flow-maven-plugin`	`25.1.0 - 25.1.4`	`≥ 25.1.5`
`com.vaadin:flow-gradle-plugin`	`24.0.0 - 24.9.17`	`≥ 24.9.18`
`com.vaadin:flow-gradle-plugin`	`24.0.0 - 24.10.3`	`≥ 24.10.4`
`com.vaadin:flow-gradle-plugin`	`25.0.0 - 25.0.11`	`≥ 25.0.12`
`com.vaadin:flow-gradle-plugin`	`25.1.0 - 25.1.4`	`≥ 25.1.5`

Severity

1.6 (Low)


                  
                    CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/S:N/AU:N/R:A/V:C/RE:L/U:Green

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 23.6.10"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-plugins"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "23.0.0"
            },
            {
              "fixed": "23.6.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 24.9.17"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-plugins"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "24.0.0"
            },
            {
              "fixed": "24.9.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-plugins"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "24.10.0"
            },
            {
              "fixed": "24.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 25.0.11"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-plugins"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "25.0.0"
            },
            {
              "fixed": "25.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-plugins"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "25.1.0"
            },
            {
              "fixed": "25.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 23.6.10"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-maven-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "23.0.0"
            },
            {
              "fixed": "23.6.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 24.9.17"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-maven-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "24.0.0"
            },
            {
              "fixed": "24.9.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-maven-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "24.10.0"
            },
            {
              "fixed": "24.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 25.0.11"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-maven-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "25.0.0"
            },
            {
              "fixed": "25.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-maven-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "25.1.0"
            },
            {
              "fixed": "25.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 24.9.17"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-gradle-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "24.0.0"
            },
            {
              "fixed": "24.9.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-gradle-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "24.10.0"
            },
            {
              "fixed": "24.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 25.0.11"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-gradle-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "25.0.0"
            },
            {
              "fixed": "25.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-gradle-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "25.1.0"
            },
            {
              "fixed": "25.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-7860"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-04T18:38:34Z",
    "nvd_published_at": "2026-05-19T12:16:19Z",
    "severity": "LOW"
  },
  "details": "A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts.\n\n\nUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\n\n\n| Product version | Mitigation |\n|---|---|\n| `Vaadin 23.0.0 - 23.6.10` | `Upgrade to 23.6.11` |\n| `Vaadin 24.0.0 - 24.9.17` | `Upgrade to 24.9.18` |\n| `Vaadin 24.10.0 - 24.10.3` | `Upgrade to 24.10.4` |\n| `Vaadin 25.0.0 - 25.0.11` | `Upgrade to 25.0.12` |\n| `Vaadin 25.1.0 - 25.1.4` | `Upgrade to 25.1.5 or newer` |\n\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version.\n\n| Maven coordinates | Vulnerable version | Fixed version |\n|---|---|---|\n| `com.vaadin:flow-plugin-base` | `23.0.0 - 23.6.10` | `\u2265 23.6.11` |\n| `com.vaadin:flow-plugin-base` | `24.0.0 - 24.9.17` | `\u2265 24.9.18` |\n| `com.vaadin:flow-plugin-base` | `24.0.0 - 24.10.3` | `\u2265 24.10.4` |\n| `com.vaadin:flow-plugin-base` | `25.0.0 - 25.0.11` | `\u2265 25.0.12` |\n| `com.vaadin:flow-plugin-base` | `25.1.0 - 25.1.4` | `\u2265 25.1.5` |\n| `com.vaadin:flow-maven-plugin` | `23.0.0 - 23.6.10` | `\u2265 23.6.11` |\n| `com.vaadin:flow-maven-plugin` | `24.0.0 - 24.9.17` | `\u2265 24.9.18` |\n| `com.vaadin:flow-maven-plugin` | `24.0.0 - 24.10.3` | `\u2265 24.10.4` |\n| `com.vaadin:flow-maven-plugin` | `25.0.0 - 25.0.11` | `\u2265 25.0.12` |\n| `com.vaadin:flow-maven-plugin` | `25.1.0 - 25.1.4` | `\u2265 25.1.5` |\n| `com.vaadin:flow-gradle-plugin` | `24.0.0 - 24.9.17` | `\u2265 24.9.18` |\n| `com.vaadin:flow-gradle-plugin` | `24.0.0 - 24.10.3` | `\u2265 24.10.4` |\n| `com.vaadin:flow-gradle-plugin` | `25.0.0 - 25.0.11` | `\u2265 25.0.12` |\n| `com.vaadin:flow-gradle-plugin` | `25.1.0 - 25.1.4` | `\u2265 25.1.5` |",
  "id": "GHSA-j8mx-j73w-9mxw",
  "modified": "2026-06-04T18:38:34Z",
  "published": "2026-05-19T12:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7860"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vaadin/flow/pull/24219"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vaadin/flow"
    },
    {
      "type": "WEB",
      "url": "https://vaadin.com/security/cve-2026-7860"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/S:N/AU:N/R:A/V:C/RE:L/U:Green",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Vaadin Build Plugins is Affected by a Possible Information Disclosure Vulnerability"
}

CVE-2026-7860 (GCVE-0-2026-7860)

Vulnerability from cvelistv5 – Published: 2026-05-19 11:01 – Updated: 2026-05-21 18:09

Title

Possible information disclosure of environment variables in Vaadin Build Plugins via Failed Frontend Build

Summary

A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Vaadin 23.0.0 - 23.6.9 Vaadin 24.0.0 - 24.9.16 Vaadin 24.10.0 - 24.10.3 Vaadin 25.0.0 - 25.0.10 Vaadin 25.1.0 - 25.1.4 Mitigation Upgrade to 23.6.10 Upgrade to 24.9.17 or newer Upgrade to 24.10.4 or newer Upgrade to 25.0.11 or newer Upgrade to 25.1.5 or newer Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version. ArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-plugin-base24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-plugin-base24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-plugin-base25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-plugin-base25.1.0 - 25.1.4≥25.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-maven-plugin24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-maven-plugin25.1.0 - 25.1.4≥25.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-gradle-plugin24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-gradle-plugin25.1.0 - 25.1.4≥25.1.5

Severity

1.6 (Low)


                        
                          CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/S:N/AU:N/R:A/V:C/RE:L/U:Green

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-209 - Generation of Error Message Containing Sensitive Information

Assigner

Vaadin

References

2 references

URL	Tags
https://vaadin.com/security/cve-2026-7860
https://github.com/vaadin/flow/pull/24219

Impacted products

2 products

Vendor	Product	Version
vaadin	flow	Affected: 23.0.0 , ≤ 23.6.10 (maven) Affected: 24.0.0 , ≤ 24.9.17 (maven) Affected: 24.10.0 , ≤ 24.10.3 (maven) Affected: 25.0.0 , ≤ 25.0.11 (maven) Affected: 25.1.0 , ≤ 25.1.4 (maven)
vaadin	flow	Affected: 24.0.0 , ≤ 24.9.17 (maven) Affected: 24.10.0 , ≤ 24.10.3 (maven) Affected: 25.0.0 , ≤ 25.0.11 (maven) Affected: 25.1.0 , ≤ 25.1.4 (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-7860",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-19T13:42:28.555116Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-19T13:42:39.109Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "com.vaadin:flow-plugin-base",
          "product": "flow",
          "repo": "https://github.com/vaadin/flow",
          "vendor": "vaadin",
          "versions": [
            {
              "lessThanOrEqual": "23.6.10",
              "status": "affected",
              "version": "23.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.9.17",
              "status": "affected",
              "version": "24.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.10.3",
              "status": "affected",
              "version": "24.10.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "25.0.11",
              "status": "affected",
              "version": "25.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "25.1.4",
              "status": "affected",
              "version": "25.1.0",
              "versionType": "maven"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "com.vaadin:flow-maven-plugin",
          "product": "flow",
          "repo": "https://github.com/vaadin/flow",
          "vendor": "vaadin",
          "versions": [
            {
              "lessThanOrEqual": "23.6.10",
              "status": "affected",
              "version": "23.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.9.17",
              "status": "affected",
              "version": "24.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.10.3",
              "status": "affected",
              "version": "24.10.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "25.0.11",
              "status": "affected",
              "version": "25.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "25.1.4",
              "status": "affected",
              "version": "25.1.0",
              "versionType": "maven"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "com.vaadin:flow-gradle-plugin",
          "product": "flow",
          "repo": "https://github.com/vaadin/flow",
          "vendor": "vaadin",
          "versions": [
            {
              "lessThanOrEqual": "24.9.17",
              "status": "affected",
              "version": "24.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.10.3",
              "status": "affected",
              "version": "24.10.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "25.0.11",
              "status": "affected",
              "version": "25.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "25.1.4",
              "status": "affected",
              "version": "25.1.0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan\u003eA possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003eUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\u003cbr\u003e\u003cbr\u003eProduct version\u003cbr\u003eVaadin 23.0.0 - 23.6.9\u003cbr\u003eVaadin 24.0.0 - 24.9.16\u003cbr\u003eVaadin 24.10.0 - 24.10.3\u003cbr\u003eVaadin 25.0.0 - 25.0.10\u003cbr\u003eVaadin 25.1.0 - 25.1.4\u003cbr\u003e\u003cbr\u003eMitigation\u003cbr\u003eUpgrade to 23.6.10\u003cbr\u003eUpgrade to 24.9.17 or newer\u003cbr\u003eUpgrade to 24.10.4 or newer\u003cbr\u003eUpgrade to 25.0.11 or newer\u003cbr\u003eUpgrade to 25.1.5 or newer\u003cbr\u003e\u003cbr\u003ePlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version.\u003cbr\u003e\u003cbr\u003eArtifacts\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMaven coordinates\u003c/td\u003e\u003ctd\u003eVulnerable versions\u003c/td\u003e\u003ctd\u003eFixed version\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e23.0.0 - 23.6.10\u003c/td\u003e\u003ctd\u003e\u226523.6.11\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.9.17\u003c/td\u003e\u003ctd\u003e\u226524.9.18\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e24.10.0 - 24.10.3\u003c/td\u003e\u003ctd\u003e\u226524.10.4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e25.0.0 - 25.0.11\u003c/td\u003e\u003ctd\u003e\u226525.0.12\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e25.1.0 - 25.1.4\u003c/td\u003e\u003ctd\u003e\u226525.1.5\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e23.0.0 - 23.6.10\u003c/td\u003e\u003ctd\u003e\u226523.6.11\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.9.17\u003c/td\u003e\u003ctd\u003e\u226524.9.18\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e24.10.0 - 24.10.3\u003c/td\u003e\u003ctd\u003e\u226524.10.4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e25.0.0 - 25.0.11\u003c/td\u003e\u003ctd\u003e\u226525.0.12\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e25.1.0 - 25.1.4\u003c/td\u003e\u003ctd\u003e\u226525.1.5\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-gradle-plugin\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.9.17\u003c/td\u003e\u003ctd\u003e\u226524.9.18\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-gradle-plugin\u003c/td\u003e\u003ctd\u003e24.10.0 - 24.10.3\u003c/td\u003e\u003ctd\u003e\u226524.10.4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-gradle-plugin\u003c/td\u003e\u003ctd\u003e25.0.0 - 25.0.11\u003c/td\u003e\u003ctd\u003e\u226525.0.12\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-gradle-plugin\u003c/td\u003e\u003ctd\u003e25.1.0 - 25.1.4\u003c/td\u003e\u003ctd\u003e\u226525.1.5\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/span\u003e"
            }
          ],
          "value": "A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts.\n\n\nUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\n\nProduct version\nVaadin 23.0.0 - 23.6.9\nVaadin 24.0.0 - 24.9.16\nVaadin 24.10.0 - 24.10.3\nVaadin 25.0.0 - 25.0.10\nVaadin 25.1.0 - 25.1.4\n\nMitigation\nUpgrade to 23.6.10\nUpgrade to 24.9.17 or newer\nUpgrade to 24.10.4 or newer\nUpgrade to 25.0.11 or newer\nUpgrade to 25.1.5 or newer\n\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version.\n\nArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10\u226523.6.11com.vaadin:flow-plugin-base24.0.0 - 24.9.17\u226524.9.18com.vaadin:flow-plugin-base24.10.0 - 24.10.3\u226524.10.4com.vaadin:flow-plugin-base25.0.0 - 25.0.11\u226525.0.12com.vaadin:flow-plugin-base25.1.0 - 25.1.4\u226525.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10\u226523.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.9.17\u226524.9.18com.vaadin:flow-maven-plugin24.10.0 - 24.10.3\u226524.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.0.11\u226525.0.12com.vaadin:flow-maven-plugin25.1.0 - 25.1.4\u226525.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.9.17\u226524.9.18com.vaadin:flow-gradle-plugin24.10.0 - 24.10.3\u226524.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.0.11\u226525.0.12com.vaadin:flow-gradle-plugin25.1.0 - 25.1.4\u226525.1.5"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-169",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-169 Footprinting"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "AUTOMATIC",
            "Safety": "NEGLIGIBLE",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 1.6,
            "baseSeverity": "LOW",
            "exploitMaturity": "UNREPORTED",
            "privilegesRequired": "LOW",
            "providerUrgency": "GREEN",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "CONCENTRATED",
            "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/S:N/AU:N/R:A/V:C/RE:L/U:Green",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-209",
              "description": "CWE-209 Generation of Error Message Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-21T18:09:14.990Z",
        "orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
        "shortName": "Vaadin"
      },
      "references": [
        {
          "url": "https://vaadin.com/security/cve-2026-7860"
        },
        {
          "url": "https://github.com/vaadin/flow/pull/24219"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eUsers of affected versions should apply the following mitigation or upgrade.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e"
            }
          ],
          "value": "Users of affected versions should apply the following mitigation or upgrade."
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Possible information disclosure of environment variables in Vaadin Build Plugins via Failed Frontend Build",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
    "assignerShortName": "Vaadin",
    "cveId": "CVE-2026-7860",
    "datePublished": "2026-05-19T11:01:47.212Z",
    "dateReserved": "2026-05-05T11:51:33.170Z",
    "dateUpdated": "2026-05-21T18:09:14.990Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-J8MX-J73W-9MXW

CVE-2026-7860 (GCVE-0-2026-7860)

Tags

Sightings

Nomenclature