AIKIDO-2026-10540
openhands-sdk is vulnerable to Information exposure
45
Medium Risk
This Affects:
openhands-sdkTL;DR
MCP options on AgentBase (mcp_config in openhands/sdk/agent/base.py) and plugin/merge flows in plugin/loader.py, skills/utils.py (expand_mcp_variables / load_mcp_config), and local_conversation.py used to apply default substitution patterns too early, before per-conversation secrets from SecretRegistry were in play, and expanded values could be persisted in serialized agent or conversation state. The release adds a get_secret path, deferred default expansion during load (expand_defaults=False), re-expansion at conversation time with secret_registry.get_secret_value, and Pydantic serializers that omit or encrypt mcp_config by default and only expose secrets with an explicit expose_secrets debug flag. Before that, a caller could plausibly leak or misuse MCP material through saved JSON or pre-expanded plugin configs.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
openhands-sdk is vulnerable to Information exposure in versions 1.0.0 - 1.18.0.
How to fix this
Upgrade the openhands-sdk library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant