PatchSiren cyber security CVE debrief
CVE-2026-7860 vaadin CVE debrief
CVE-2026-7860 is an information disclosure issue affecting Vaadin Maven and Gradle plugins. When the frontend build process exits with a non-zero status, the plugins can expose the full set of environment variables in build logs. In CI systems, that can leak secrets supplied as environment variables into logs and archived artifacts. The CVE was published on 2026-05-19 and updated on 2026-05-21. The record rates the issue Low severity (CVSS 1.6).
- Vendor
- vaadin
- Product
- flow
- CVSS
- LOW 1.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-21
Who should care
Teams that build Vaadin applications in CI/CD, especially if build jobs inject credentials or other secrets through environment variables. Organizations using Vaadin Maven or Gradle plugins in affected versions should treat failed frontend builds as a potential secret-disclosure path.
Technical summary
The reported condition is triggered when the frontend build exits non-zero. In that failure path, the Vaadin build plugins may print the complete environment variable set into logs. Because build environments commonly contain tokens, keys, or other secrets, the failure output can disclose sensitive values to log viewers and any systems that retain build artifacts. The supplied record ties the issue to Vaadin flow-plugin-base, flow-maven-plugin, and flow-gradle-plugin version ranges listed in the advisory text.
Defensive priority
Medium for affected CI/CD pipelines that handle secrets; otherwise lower. The CVSS score is low, but the impact can be operationally significant if build logs are widely accessible or retained.
Recommended defensive actions
- Upgrade affected Vaadin components to a fixed release: 23.6.10 or newer, 24.9.17 or newer, 24.10.4 or newer, 25.0.11 or newer, or 25.1.5 or newer, as applicable to your line.
- Review CI jobs that run Vaadin frontend builds and confirm secrets are not exposed through environment variables where possible.
- Check build log retention and access controls so that failed build output is not broadly readable.
- Audit recent failed frontend builds for unexpected secret material in logs or archived artifacts.
- If you must remain on an affected release temporarily, reduce the sensitivity of variables present in the build environment and restrict log access tightly.
- Retire unsupported Vaadin versions noted in the advisory text and move to a supported 23, 24, or 25 release line.
Evidence notes
All substantive findings here come from the supplied CVE record text and its official references. The record states that failed frontend builds in Vaadin Maven and Gradle plugins may expose the full set of environment variables in build logs, potentially leaking CI secrets. The source item includes official references to the Vaadin advisory and a GitHub pull request, and the CVE record was published on 2026-05-19 and modified on 2026-05-21. The source metadata lists CWE-209 and a low CVSS score.
Official resources
Publicly disclosed in the supplied CVE record; published 2026-05-19 and updated 2026-05-21.