Vaadin
Moderate fix3 remedies
cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*
Moderate fix3 remedies
- >= 23.0.0, <= 23.6.10
- >= 24.0.0, <= 24.10.3
- >= 25.0.0, <= 25.1.4
Vaadin Build Plugins Information Disclosure Vulnerability
Vulnerability
Patched
An information disclosure vulnerability has been identified in the Vaadin Maven and Gradle plugins. This vulnerability arises when the frontend build process fails, causing the plugins to log the complete set of environment variables. These logs can then be accessed in continuous integration (CI) logs and archived build artifacts. Since the build environment may contain sensitive credentials, this issue can inadvertently expose those secrets in clear text. While CI providers typically mask secrets in real-time logs, archived logs and shared diagnostic logs between developers do not receive the same protection.
Impact
Exposing environment variables in build logs can lead to unauthorized disclosure of sensitive information, including credentials and other secrets, in clear text.
Remediation
Users should upgrade to Vaadin versions 23.6.10, 24.10.4 or newer, or 25.1.5 or newer. Vaadin 14 is not affected. For Maven users, the updated version can be specified in the project's pom.xml file. Gradle users should update the version in their build.gradle file.
Added: May 19, 2026, 12:54 PM
Updated: May 19, 2026, 2:05 PM
Vulnerability Rating
Custom Algorithm
spread
5.4impact
2.5exploitability
4.7remediation
0.0relevance
8.8threat
0.0urgency
1.4incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.