2427563 – (CVE-2026-25211) CVE-2026-25211 llamastack/llama-stack: Sensitive Information Exposure Through Log Files in Llama Stack PGVector Integration

Bug 2427563 (CVE-2026-25211) - CVE-2026-25211 llamastack/llama-stack: Sensitive Information Exposure Through Log Files in Llama Stack PGVector Integration

Summary: CVE-2026-25211 llamastack/llama-stack: Sensitive Information Exposure Through...

Keywords:
Status:	NEW
Alias:	CVE-2026-25211
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-07 12:01 UTC by OSIDB Bzimport
Modified:	2026-01-30 07:35 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-07 12:01:07 UTC

Sensitive information exposure vulnerability in the Llama Stack server when PGVector is configured as the vector store provider. The issue is caused by insecure logging of configuration parameters in the PGVector initialization routine, where the database password is written to server logs without redaction. When a LlamaStackDistribution is created, the plaintext password is printed at INFO log level. An attacker or unauthorized user with access to pod or application logs can obtain valid database credentials, potentially leading to unauthorized database access. This flaw does not require user interaction and can compromise the confidentiality of backend services relying on PGVector.

Note You need to log in before you can comment on or make changes to this bug.