CVE-2026-45581
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
In versions from 2.3.1 to before 2.5.10, when deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server logs include the TLS private key password in plaintext. This allows an attacker with access to the logs to recover the password.
Risk Assessment
Attackers could use the exposed password to impersonate the chaincode server, potentially leading to serious security breaches in the system.
Recommendation
It is recommended to upgrade to version 2.5.10 or later to mitigate this vulnerability and to restrict access to the chaincode server logs.
Original NVD description (English source)
fabric-chaincode-java is a Java based implementation of Hyperledger Fabric chaincode shim APIs. From version 2.3.1 to before version 2.5.10, when chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in plaintext. An attacker with access to the chaincode server logs could recover the TLS private key password. If the attacker can also obtain the TLS private key, they could impersonate the chaincode server. This issue has been patched in version 2.5.10.

