CVE-2026-45046: Gryph Agents Payload Filter Fails to Strip Tool Payload for Sensitive Content

May 11, 2026 (updated June 8, 2026)

Gryph implements logging levels that determine what content is logged to a local sqlite database. The README incorrectly mentions that the default log level is minimal while it is standard. Source code review shows sensitive file-write content remains in the stored payload as ContentPreview, OldString, or NewString at the default standard logging level and at full. This leads to logging of potentially sensitive file content in the local sqlite database, violating Gryphs sensitive file filter and log level contracts.

References

github.com/advisories/GHSA-f3jg-756w-gm35
github.com/safedep/gryph/releases/tag/v0.7.0
github.com/safedep/gryph/security/advisories/GHSA-f3jg-756w-gm35
nvd.nist.gov/vuln/detail/CVE-2026-45046

Code Behaviors & Features

Detect and mitigate CVE-2026-45046 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →