GHSA-xmfj-7pp5-fxr6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xmfj-7pp5-fxr6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-xmfj-7pp5-fxr6/GHSA-xmfj-7pp5-fxr6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xmfj-7pp5-fxr6
- Aliases
- Published
- 2026-01-30T09:30:55Z
- Modified
- 2026-02-03T03:12:28.523565Z
- Severity
-
- 3.2 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS Calculator
- Summary
- Llama Stack exposes secret in initialization log
- Details
-
Llama Stack (aka llama-stack) before 0.4.0rc3 does not censor the pgvector password in the initialization log.
- Database specific
{ "severity": "LOW", "github_reviewed": true, "cwe_ids": [ "CWE-532" ], "github_reviewed_at": "2026-01-30T20:56:29Z", "nvd_published_at": "2026-01-30T08:16:02Z" }- References
Affected packages
PyPI / llama-stack
Package
- Name
- llama-stack
- View open source insights on deps.dev
- Purl
- pkg:pypi/llama-stack
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.4.4
Affected versions
0.*
0.0.1a0
0.0.1a1
0.0.1a2
0.0.1a3
0.0.1a4
0.0.1a5
0.0.18
0.0.19
0.0.20
0.0.21
0.0.23
0.0.24
0.0.35
0.0.36
0.0.37
0.0.38
0.0.39
0.0.40
0.0.41
0.0.42
0.0.43
0.0.44
0.0.45
0.0.46
0.0.47
0.0.48
0.0.49
0.0.50
0.0.51.dev0
0.0.51
0.0.52
0.0.53
0.0.54
0.0.55
0.0.56
0.0.57
0.0.58
0.0.59
0.0.60
0.0.61
0.0.62
0.0.63
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.5.1
0.1.6
0.1.7
0.1.8
0.1.9
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.2.9
0.2.10
0.2.10.1
0.2.11
0.2.12
0.2.13
0.2.14
0.2.15
0.2.16
0.2.17
0.2.18
0.2.19
0.2.20
0.2.21
0.2.22
0.2.23
0.2.24
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.4.0
0.4.1
0.4.2
0.4.3