GHSA-f3jg-756w-gm35
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f3jg-756w-gm35
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-f3jg-756w-gm35/GHSA-f3jg-756w-gm35.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f3jg-756w-gm35
- Aliases
-
- CVE-2026-45046
- Published
- 2026-05-11T21:20:04Z
- Modified
- 2026-05-11T21:48:41.698648Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Gryph Agents Payload Filter Fails to Strip Tool Payload for Sensitive Content
- Details
-
Gryph implements logging levels that determine what content is logged to a local sqlite database. The README incorrectly mentions that the default log level is minimal while it is standard. Source code review shows sensitive
file-writecontent remains in the storedpayloadasContentPreview,OldString, orNewStringat the defaultstandardlogging level and atfull. This leads to logging of potentially sensitive file content in the local sqlite database, violating Gryphs sensitive file filter and log level contracts.Impact
Potentially sensitive data accessed or written by coding agents may be logged to local sqlite database. Users of Gryph are affected ONLY if their local sqlite database is stolen or exported to remote system with the assumption that no sensitive data is logged.
Patches
Fixed in v0.7.0
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-05-11T21:20:04Z", "cwe_ids": [ "CWE-212" ], "severity": "MODERATE", "nvd_published_at": null }- References
Affected packages
Go / github.com/safedep/gryph
Package
- Name
- github.com/safedep/gryph
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/safedep/gryph