PatchSiren cyber security CVE debrief

CVE-2026-45581 hyperledger CVE debrief

CVE-2026-45581 is a vulnerability in fabric-chaincode-java, a Java-based implementation of Hyperledger Fabric chaincode shim APIs. Versions from 2.3.1 to before 2.5.10, when deployed in chaincode-as-a-service mode with TLS enabled, log the TLS private key password in plaintext at the INFO level. An attacker with access to these logs could recover the password and, if they also obtain the TLS private key, impersonate the chaincode server. This issue was patched in version 2.5.10.

Vendor: hyperledger
Product: fabric-chaincode-java
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-08
Original CVE updated: 2026-06-09
Advisory published: 2026-06-08
Advisory updated: 2026-06-09

Who should care

Users of fabric-chaincode-java, especially those deploying it in chaincode-as-a-service mode with TLS enabled, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability exists in fabric-chaincode-java versions 2.3.1 to before 2.5.10. When chaincode is deployed with TLS enabled, the INFO level server logs include the TLS private key password in plaintext. This allows an attacker with log access to recover the password and potentially impersonate the server if they also obtain the private key.

Defensive priority

MEDIUM

Recommended defensive actions

Upgrade to version 2.5.10 or later of fabric-chaincode-java.
Review and secure access to chaincode server logs.
Consider additional security measures to protect TLS private keys.

Evidence notes

The vulnerability was patched in version 2.5.10. For more information, see [ref-4](https://github.com/hyperledger/fabric-chaincode-java/security/advisories/GHSA-wg5x-3g47-v38r).

Official resources

CVE-2026-45581 was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-45581) and modified on [cveModifiedAt](https://nvd.nist.gov/vuln/detail/CVE-2026-45581).