Intel

AIKIDO-2026-543721

instagrapi is vulnerable to Insertion of Sensitive Information into Log File

Insertion of Sensitive Information into Log File Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

51

Medium Risk

This Affects:

PYTHONinstagrapi
1.10.0 - 2.5.10
Fixed in 2.5.11
Are you affected? Scan for Free

TL;DR

The change_password branch of challenge_resolve_simple in instagrapi/mixins/challenge.py printed the freshly rotated account password to stdout via a print() call. When the change_password challenge flow runs and a change_password_handler returns a new password, that plaintext credential is written to stdout and any attached application logs. Anyone able to read that output (log files, journald, aggregated logging) can recover the account password. The fix removes the print() and logs only the password length and attempt metadata, with a regression test asserting the secret never reaches stdout or logs.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application uses the change_password challenge flow via change_password_handler.

Background info

instagrapi is vulnerable to Insertion of Sensitive Information into Log File in versions 1.10.0 - 2.5.10.

How to fix this

Upgrade the instagrapi library to the patch version.