Intel

AIKIDO-2026-833143

posthog is vulnerable to Sensitive Information Disclosure

Sensitive Information Disclosure Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 26, 2026

50

Medium Risk

This Affects:

PYTHONposthog
6.9.0 - 7.20.1
Fixed in 7.20.2
Are you affected? Scan for Free

TL;DR

PostHog's exception autocapture can record the values of local variables from each application stack frame when capture_exception_code_variables is enabled. Variable-name masking is applied, but string values that contain credentials embedded in URLs, DSNs, or connection strings are captured verbatim, and custom objects are serialized through repr() without redacting sensitive attributes. As a result secrets such as database passwords and connection-string credentials can be included in the exception payloads sent to the configured error-tracking destination and become visible to anyone with access to it. The fix scrubs user:pass credentials from connection strings, traverses objects to redact fields like password by attribute name, and enables this masking by default.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and have enabled exception code variable capture.

Background info

posthog is vulnerable to Sensitive Information Disclosure in versions 6.9.0 - 7.20.1.

How to fix this

Upgrade the posthog and/or the posthoganalytics library to the patch version.