Intel

AIKIDO-2026-314150

workos is vulnerable to Insertion of Sensitive Information into Log File

Insertion of Sensitive Information into Log File Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 30, 2026

38

Low Risk

This Affects:

RUBYworkos
7.0.0 - 8.0.0
Fixed in 8.0.1
Are you affected? Scan for Free

TL;DR

The SDK's HTTP runtime in base_client.rb writes the full request path and query string to the configured logger on every request, retry, and error. Token-bearing endpoint paths such as /user_management/magic_auth/<token>, invitation by_token, password-reset, and email-verification paths, plus sensitive query keys like token, code, refresh_token, access_token, and session_id, are emitted verbatim into application logs. Anyone with read access to those logs can recover bearer-equivalent, often single-use authentication secrets and replay them to take over accounts or complete auth flows. The fix adds redact_path to mask token path segments and sensitive query-string values before any log line is written.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you configure a logger on the WorkOS client.

Background info

workos is vulnerable to Insertion of Sensitive Information into Log File in versions 7.0.0 - 8.0.0.

How to fix this

Upgrade the workos library to the patch version.