Primary

Context

Hyperledger Fabric Chaincode Java TLS Private Key Password Logging Vulnerability

Vulnerability

Patched

A vulnerability exists in Hyperledger Fabric Chaincode Java versions 2.3.1 prior to 2.5.10, when deployed in chaincode-as-a-service mode with TLS enabled. The chaincode server's INFO level logs inadvertently include the TLS private key password in plaintext. An attacker with access to these logs could retrieve the password, and if they also obtain the TLS private key, they could impersonate the chaincode server.

Impact

Exposing the TLS private key password in logs could lead to unauthorized impersonation of the chaincode server, especially if the private key is also compromised.

Remediation

Users are advised to update to version 2.5.10 or later, redact or remove any logs containing the TLS private key password, and change the TLS private key password. Additionally, impacted deployments can temporarily mitigate the issue by lowering the logging level to WARNING or higher to prevent INFO level logs from being recorded.

Added: Jun 8, 2026, 6:06 PM

Updated: Jun 8, 2026, 6:06 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

3.3

remediation

0.0

relevance

9.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

3.3

remediation

0.0

relevance

9.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Hyperledger Fabric Chaincode Java TLS Private Key Password Logging Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Hyperledger Fabric Chaincode Java

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating