Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-7860— Possible information disclosure of environment variables in Vaadin Build Plugins via Failed Frontend Build

AI Predicted 7.5 Difficulty: Moderate EPSS 0.02% · P4

Possible ATT&CK Techniques 1AI

T1530 · Data from Cloud Storage

Affected Version Matrix 14

VendorProductVersion RangeStatus
vaadinflow23.0.0≤ 23.6.10affected
24.0.0≤ 24.9.17affected
24.10.0≤ 24.10.3affected
25.0.0≤ 25.0.11affected
25.1.0≤ 25.1.4affected
23.0.0≤ 23.6.10affected
24.0.0≤ 24.9.17affected
24.10.0≤ 24.10.3affected
… +6 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-7860

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Possible information disclosure of environment variables in Vaadin Build Plugins via Failed Frontend Build
Source: NVD (National Vulnerability Database)
Vulnerability Description
A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Vaadin 23.0.0 - 23.6.9 Vaadin 24.0.0 - 24.9.16 Vaadin 24.10.0 - 24.10.3 Vaadin 25.0.0 - 25.0.10 Vaadin 25.1.0 - 25.1.4 Mitigation Upgrade to 23.6.10 Upgrade to 24.9.17 or newer Upgrade to 24.10.4 or newer Upgrade to 25.0.11 or newer Upgrade to 25.1.5 or newer Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version. ArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-plugin-base24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-plugin-base24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-plugin-base25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-plugin-base25.1.0 - 25.1.4≥25.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-maven-plugin24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-maven-plugin25.1.0 - 25.1.4≥25.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-gradle-plugin24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-gradle-plugin25.1.0 - 25.1.4≥25.1.5
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过错误消息导致的信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
Vaadin Flow 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Vaadin Flow是Vaadin开源的一个应用软件。Vaadin平台的Java框架,用于构建外观美观,性能良好并让您和您的用户感到满意的现代网站。 Vaadin Flow 23.0.0至23.6.9版本、24.0.0至24.10.3版本和25.0.0至25.1.4版本存在安全漏洞,该漏洞源于前端构建进程退出非零状态时暴露完整环境变量,可能导致凭据泄露。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
vaadinflow 23.0.0 ~ 23.6.10 -
vaadinflow 23.0.0 ~ 23.6.10 -
vaadinflow 24.0.0 ~ 24.9.17 -

II. Public POCs for CVE-2026-7860

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-7860

登录查看更多情报信息。

Patches & Fixes for CVE-2026-7860 (1)

Vendor Advisories for CVE-2026-7860 (1)

IV. Related Vulnerabilities

Same product: flow
Same vendor: vaadin
Same weakness: CWE-209

V. Comments for CVE-2026-7860

No comments yet

Leave a comment