CVE-2026-22038

CVE-2026-22038 is a vulnerability in the AutoGPT platform, which enables users to create, deploy, and manage continuous AI agents for automating complex workflows. In versions prior to autogpt-platform-beta-v0.6.46, the Stagehand integration's block implementations—specifically StagehandObserveBlock, StagehandActBlock, and StagehandExtractBlock—log API keys and authentication secrets in plaintext. This occurs through explicit calls to api_key.get_secret_value() followed by logger.info() statements, violating CWE-532 (Insertion of Sensitive Information into Log File). The issue carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H), highlighting high confidentiality and availability impacts.

An attacker with low privileges, such as a legitimate user or service account with network access to the AutoGPT platform, can exploit this vulnerability with low complexity and no user interaction required. By accessing the logs generated by the affected Stagehand blocks, the attacker can extract plaintext API keys and authentication secrets, enabling unauthorized access to integrated services, potential lateral movement, or further compromise depending on the secrets' scope. The high confidentiality impact stems directly from secret exposure, while the availability impact likely arises from disruptions possible after credential misuse.

The vulnerability has been patched in autogpt-platform-beta-v0.6.46, as detailed in the GitHub security advisory (GHSA-rc89-6g7g-v5v7) and the fixing commit (1eabc604842fa876c09d69af43d2d1e8fb9b8eb9). Security practitioners should upgrade to the patched version and review existing logs for exposed secrets, implementing log monitoring, rotation, and redaction controls to mitigate risks in AI agent platforms like AutoGPT.

This issue is particularly relevant in AI/ML contexts, as AutoGPT handles autonomous agents that often integrate sensitive third-party APIs for tasks like observation, action, and extraction in workflows. No public evidence of real-world exploitation is available as of the CVE publication on 2026-02-04.