CVE-2026-22038

HIGH

AutoGPT <autogpt-platform-beta-v0.6.46 - Info Disclosure

Title source: llm
STIX 2.1

Description

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.46, the AutoGPT platform's Stagehand integration blocks log API keys and authentication secrets in plaintext using logger.info() statements. This occurs in three separate block implementations (StagehandObserveBlock, StagehandActBlock, and StagehandExtractBlock) where the code explicitly calls api_key.get_secret_value() and logs the result. This issue has been patched in autogpt-platform-beta-v0.6.46.

Exploits (1)

github WRITEUP
by sivaadityacoder · poc
https://github.com/sivaadityacoder/CVE-2026-22038

References (2)

Scores

CVSS v3 8.1
EPSS 0.0011
EPSS Percentile 29.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-532
Status published
Products (1)
agpt/autogpt_platform < 0.6.46
Published Feb 04, 2026
Tracked Since Feb 18, 2026