Intel

AIKIDO-2026-891308

daft is vulnerable to Exposure of Sensitive Information

Exposure of Sensitive Information Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

53

Medium Risk

This Affects:

PYTHONdaft
0.4.10 - 0.7.12
Fixed in 0.7.13
Are you affected? Scan for Free

TL;DR

The SQLConnection class in daft/sql/sql_connection.py echoes the full database connection URL in read_sql RuntimeError messages and in SQLConnection.__repr__. When a query or connection fails, or the connection object is logged or displayed, secrets embedded in the URL such as userinfo passwords, access_token query parameters, and driver-specific extras are exposed in plaintext. Earlier releases only redacted user:password userinfo, so query-parameter tokens and passwords containing URL-special characters were still leaked. The fix stops echoing the connection URL entirely and shows only the dialect and driver.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and use daft.read_sql with connection URLs that embed credentials.

Background info

daft is vulnerable to Exposure of Sensitive Information in versions 0.4.10 - 0.7.12.

How to fix this

Upgrade the daft library to the patch version.