CVE-2026-45046: CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer in safedep gryph
Gryph provides a security layer for AI coding agents. Prior to 0.7.0, Gryph implements logging levels that determine what content is logged to a local sqlite database. The README incorrectly mentions that the default log level is minimal while it is standard. Source code review shows sensitive file-write content remains in the stored payload as ContentPreview, OldString, or NewString at the default standard logging level and at full. This leads to logging of potentially sensitive file content in the local sqlite database, violating Gryphs sensitive file filter and log level contracts. This vulnerability is fixed in 0.7.0.
AI Analysis
Technical Summary
Gryph, a security layer for AI coding agents by safedep, prior to version 0.7.0, improperly logs sensitive file content to a local sqlite database due to incorrect handling of logging levels. The README incorrectly states the default log level as minimal, but it is actually standard, which causes sensitive data to be stored in fields such as ContentPreview, OldString, or NewString. This constitutes a CWE-212 vulnerability (Improper Removal of Sensitive Information Before Storage or Transfer). The issue is resolved in gryph version 0.7.0.
Potential Impact
Sensitive file content may be exposed through local logs stored in the sqlite database, potentially leading to confidentiality breaches. The vulnerability does not affect integrity or availability. Exploitation requires local access with low privileges. No known active exploitation has been reported.
Mitigation Recommendations
Upgrade gryph to version 0.7.0 or later, where this vulnerability is fixed. Since the vendor advisory indicates the issue is resolved in 0.7.0, applying this official fix is the recommended remediation. Patch status is confirmed by the vendor's versioning information. No additional mitigation steps are indicated.
CVE-2026-45046: CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer in safedep gryph
Description
Gryph provides a security layer for AI coding agents. Prior to 0.7.0, Gryph implements logging levels that determine what content is logged to a local sqlite database. The README incorrectly mentions that the default log level is minimal while it is standard. Source code review shows sensitive file-write content remains in the stored payload as ContentPreview, OldString, or NewString at the default standard logging level and at full. This leads to logging of potentially sensitive file content in the local sqlite database, violating Gryphs sensitive file filter and log level contracts. This vulnerability is fixed in 0.7.0.
CVSS v3.1
Score 5.5medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Gryph, a security layer for AI coding agents by safedep, prior to version 0.7.0, improperly logs sensitive file content to a local sqlite database due to incorrect handling of logging levels. The README incorrectly states the default log level as minimal, but it is actually standard, which causes sensitive data to be stored in fields such as ContentPreview, OldString, or NewString. This constitutes a CWE-212 vulnerability (Improper Removal of Sensitive Information Before Storage or Transfer). The issue is resolved in gryph version 0.7.0.
Potential Impact
Sensitive file content may be exposed through local logs stored in the sqlite database, potentially leading to confidentiality breaches. The vulnerability does not affect integrity or availability. Exploitation requires local access with low privileges. No known active exploitation has been reported.
Mitigation Recommendations
Upgrade gryph to version 0.7.0 or later, where this vulnerability is fixed. Since the vendor advisory indicates the issue is resolved in 0.7.0, applying this official fix is the recommended remediation. Patch status is confirmed by the vendor's versioning information. No additional mitigation steps are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-08T18:07:27.341Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a173900e29bf47b50dc2e35
Added to database: 5/27/2026, 6:33:36 PM
Last enriched: 5/27/2026, 6:48:48 PM
Last updated: 5/27/2026, 7:45:19 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.