Description
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.46, the AutoGPT platform's Stagehand integration blocks log API keys and authentication secrets in plaintext using logger.info() statements. This occurs in three separate block implementations (StagehandObserveBlock, StagehandActBlock, and StagehandExtractBlock) where the code explicitly calls api_key.get_secret_value() and logs the result. This issue has been patched in autogpt-platform-beta-v0.6.46.
Published: 2026-02-04
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Disclosure
Action: Apply Patch
AI Analysis

Impact

Prior to autogpt-platform-beta-v0.6.46, three Stagehand integration blocks in AutoGPT logged API keys and authentication secrets in plaintext using logger.info() statements, exposing credentials that belong to the user. This vulnerability is classified as CWE-532, a type of information leakage whereby sensitive data can be read from logs. An attacker who can read the log files would gain access to these secrets, potentially allowing unauthorized use of external services, data exfiltration, or further compromise of the user’s environment.

Affected Systems

This issue affects the AutoGPT platform released by Significant‑Gravitas prior to version autogpt-platform-beta‑v0.6.46. The affected components are the StagehandObserveBlock, StagehandActBlock, and StagehandExtractBlock within the AutoGPT codebase.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.1, indicating high severity, yet the EPSS score is <1% and it is not listed in the CISA KEV catalog, suggesting that exploitation is unlikely. Likely attack vectors are local, involving access to the system’s log files or a misconfigured logging service that persists logs on a shared or insecure medium.

Generated by OpenCVE AI on April 17, 2026 at 23:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update AutoGPT to autogpt-platform-beta-v0.6.46 or later to remove the plaintext logging
  • Audit existing log files for exposed credentials and remove or securely delete any that contain secrets
  • Restrict access to the application’s log files and ensure log rotation is configured so that logs are not retained longer than necessary

Generated by OpenCVE AI on April 17, 2026 at 23:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Agpt
Agpt autogpt Platform
CPEs cpe:2.3:a:agpt:autogpt_platform:*:*:*:*:*:*:*:*
Vendors & Products Agpt
Agpt autogpt Platform

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Significant-gravitas
Significant-gravitas autogpt
Vendors & Products Significant-gravitas
Significant-gravitas autogpt

Wed, 04 Feb 2026 22:45:00 +0000

Type Values Removed Values Added
Description AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.46, the AutoGPT platform's Stagehand integration blocks log API keys and authentication secrets in plaintext using logger.info() statements. This occurs in three separate block implementations (StagehandObserveBlock, StagehandActBlock, and StagehandExtractBlock) where the code explicitly calls api_key.get_secret_value() and logs the result. This issue has been patched in autogpt-platform-beta-v0.6.46.
Title AutoGPT's API Keys and Secrets Logged in Plaintext in Stagehand Integration Blocks
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Subscriptions

Agpt Autogpt Platform
Significant-gravitas Autogpt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T15:04:13.893Z

Reserved: 2026-01-05T22:30:38.719Z

Link: CVE-2026-22038

cve-icon Vulnrichment

Updated: 2026-02-05T15:04:05.991Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T23:15:56.057

Modified: 2026-02-17T15:42:50.107

Link: CVE-2026-22038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:15:30Z

Weaknesses