CWE-212

Gryph implements logging levels that determine what content is logged to a local sqlite database. The README incorrectly mentions that the default log level is minimal while it is standard. Source code review shows sensitive `file-write` content remains in the stored `payload` as `ContentPreview`, `OldString`, or `NewString` at the default `standard` logging level and at `full`. This leads to logging of potentially sensitive file content in the local sqlite database, violating Gryphs sensitive file filter and log level contracts. Potentially sensitive data accessed or written by coding agents may be logged to local sqlite database. Users of Gryph are affected ONLY if their local sqlite database is stolen or exported to remote system with the assumption that no sensitive data is logged. Fixed in v0.7.0

OpenBao namespace deletion fails to properly clean up data and revoke leases when the initial deletion attempt is interrupted, potentially leaving orphaned storage entries and outstanding leases in the system. Subsequent retry attempts to delete the same namespace do not trigger proper cleanup, creating information disclosure and data integrity risks. This affects OpenBao versions prior to v2.5.3, with a vendor-released patch available.

Authenticated configuration readers in OpenClaw gateway deployments can extract unredacted sensitive credentials through alias field bypass in versions prior to 2026.4.14. Attackers with legitimate config read permissions exploit sourceConfig and runtimeConfig alias fields to obtain provider API keys, gateway authentication tokens, and channel credentials that the redaction mechanism fails to sanitize. The vulnerability affects npm package 'openclaw' in gateway configurations where authenticated clients have config read access, confirmed fixed by vendor in version 2026.4.14 with patch commit 86734ef. CVSS 7.1 reflects network-accessible attack requiring low privileges with high confidentiality impact; no public exploit identified at time of analysis, though technical details published in GHSA-8372-7vhw-cm6q enable reproduction.

Authenticated users with low privileges can read cleartext Kubernetes Secret data through Argo CD's ServerSideDiff feature in versions 3.2.0-3.2.10 and 3.3.0-3.3.8. This scope-changing vulnerability (CVSS:3.1 S:C) allows attackers to access sensitive credential data managed by Kubernetes, including database passwords, API tokens, and certificates, by exploiting the server-side diff functionality. With a 7.7 CVSS score and low attack complexity (AC:L), this represents a significant confidentiality breach requiring only network access and basic authentication-no public exploit identified at time of analysis, but the technical barrier to exploitation is minimal.

Windows Recovery Environment Agent improperly stores sensitive information without adequate removal, allowing physical attackers to extract confidential data and bypass security features. The vulnerability affects Windows 10 versions 1607-22H2, Windows 11 versions 22H3-26H1, Windows Server 2016-2025, and Server Core installations across multiple builds. Microsoft has released vendor patches to remediate the information disclosure.

Information disclosure in MediaWiki CentralAuth extension exposes sensitive authentication data to unauthorized parties through improper removal before storage or transfer. This affects non-release development branches with network-accessible attack vector requiring no authentication (CVSS:4.0 AV:N/PR:N). While no public exploit or active exploitation (not in CISA KEV) is identified at time of analysis, the CVSS 8.8 rating reflects high confidentiality impact and low complexity, making this a significant risk for organizations running development builds.

Trino's Iceberg connector leaks AWS S3 access credentials through query JSON endpoints, allowing authenticated users with write privileges to extract static or temporary credentials used for object storage access. The vulnerability exposes credentials via the query visualization API (/ui/api/query/ and /v1/query/ endpoints) when users perform write or table maintenance operations. With a CVSS of 7.7 and EPSS data not provided, this represents a confirmed credential exposure issue requiring immediate attention for organizations using Iceberg REST catalog configurations with storage credentials. No public exploit identified at time of analysis, though exploitation requires only low-privilege authenticated access.

An authenticated user could view confidential issue titles in public GitLab projects that they shouldn't have access to due to a flaw in access controls. This affects GitLab CE/EE versions 8.14 through 18.9.1, impacting any organization using these versions. An attacker with a GitLab account could exploit this to read sensitive information hidden in issue titles, potentially exposing confidential project details.

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.6 versions up to 18.7.6 contains a security vulnerability (CVSS 4.3).

tfplan2md versions before 1.26.1 fail to properly mask sensitive values in Terraform plan reports across multiple rendering paths, causing credentials and other confidential data to be exposed in plaintext markdown output instead of being redacted. Administrators and developers using affected versions to generate infrastructure reports may inadvertently expose secrets to unauthorized parties with access to the generated documentation. No patch is currently available for this high-severity information disclosure vulnerability affecting Azure and Terraform workflows.