CVE-2026-22038

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.46, the AutoGPT platform's Stagehand integration blocks log API keys and authentication secrets in plaintext using logger.info() statements. This occurs in three separate block implementations (StagehandObserveBlock, StagehandActBlock, and StagehandExtractBlock) where the code explicitly calls api_key.get_secret_value() and logs the result. This issue has been patched in autogpt-platform-beta-v0.6.46.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/Significant-Gravitas/AutoGPT/commit/1eabc604842fa876c09d69af43d2d1e8fb9b8eb9	Patch
https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-rc89-6g7g-v5v7	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:agpt:autogpt_platform:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-04 23:15

Updated : 2026-02-17 15:42

NVD link : CVE-2026-22038

Mitre link : CVE-2026-22038

CVE.ORG link : CVE-2026-22038

JSON object : View

Products Affected

agpt

autogpt_platform

CWE

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2026-22038", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2026-02-04T23:15:56.057", "references": [{"url": "https://github.com/Significant-Gravitas/AutoGPT/commit/1eabc604842fa876c09d69af43d2d1e8fb9b8eb9", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-rc89-6g7g-v5v7", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.46, the AutoGPT platform's Stagehand integration blocks log API keys and authentication secrets in plaintext using logger.info() statements. This occurs in three separate block implementations (StagehandObserveBlock, StagehandActBlock, and StagehandExtractBlock) where the code explicitly calls api_key.get_secret_value() and logs the result. This issue has been patched in autogpt-platform-beta-v0.6.46."}, {"lang": "es", "value": "AutoGPT es una plataforma que permite a los usuarios crear, desplegar y gestionar agentes de inteligencia artificial continuos que automatizan flujos de trabajo complejos. Antes de autogpt-platform-beta-v0.6.46, los bloques de integraci\u00f3n de Stagehand de la plataforma AutoGPT registraban claves API y secretos de autenticaci\u00f3n en texto plano utilizando sentencias logger.info(). Esto ocurre en tres implementaciones de bloques separadas (StagehandObserveBlock, StagehandActBlock y StagehandExtractBlock) donde el c\u00f3digo llama expl\u00edcitamente a api_key.get_secret_value() y registra el resultado. Este problema ha sido parcheado en autogpt-platform-beta-v0.6.46."}], "lastModified": "2026-02-17T15:42:50.107", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:agpt:autogpt_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C9642924-6805-44F1-9115-2BFB5F87B8B7", "versionEndExcluding": "0.6.46"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}