[security] vault_get returns plaintext passwords into LLM context #677

New issue

Closed

opened 2026-06-02 23:41:53 +02:00 by sleepy · 1 comment

sleepy commented

2026-06-02 23:41:53 +02:00

Owner

Security: vault_get returns plaintext passwords to LLM context

File: `src/tool_implementations.py` lines 3948-4003

The do_vault_get() function retrieves passwords from Bitwarden and returns them in the tool result, which then gets fed into the LLM context:

output = [
    f"Vault item: {name}",
    f"Username: {login.get('username', '(none)')}",
    f"Password: {login.get('password', '(none)')}",
]
if login.get("totp"):
    output.append(f"TOTP secret: {login['totp']}")

Issues

Passwords enter the LLM context window — they become part of the conversation stored in the database and potentially sent to external API endpoints (OpenAI, Anthropic, etc.)
TOTP secrets are also returned in plaintext
Context persistence — the full conversation including passwords is stored in the session database
While there is an audit log entry, the password itself is in the LLM context

Mitigations already present

reason parameter required (forces justification)
Audit log entry
Vault must be unlocked first
Tool is admin-only (via NON_ADMIN_BLOCKED_TOOLS)

Suggested fix

Return passwords only in a dedicated SSE event type that the frontend renders in a masked field — never in the LLM's text context
Or provide a "copy to clipboard" mechanism that bypasses the LLM entirely
At minimum, strip the password from the tool result before it goes into format_tool_result() and is appended to the message history

## Security: vault_get returns plaintext passwords to LLM context ### File: `src/tool_implementations.py` lines 3948-4003 The `do_vault_get()` function retrieves passwords from Bitwarden and returns them in the tool result, which then gets fed into the LLM context: ```python output = [ f"Vault item: {name}", f"Username: {login.get('username', '(none)')}", f"Password: {login.get('password', '(none)')}", ] if login.get("totp"): output.append(f"TOTP secret: {login['totp']}") ``` ### Issues - **Passwords enter the LLM context window** — they become part of the conversation stored in the database and potentially sent to external API endpoints (OpenAI, Anthropic, etc.) - **TOTP secrets** are also returned in plaintext - **Context persistence** — the full conversation including passwords is stored in the session database - While there is an audit log entry, the password itself is in the LLM context ### Mitigations already present - `reason` parameter required (forces justification) - Audit log entry - Vault must be unlocked first - Tool is admin-only (via `NON_ADMIN_BLOCKED_TOOLS`) ### Suggested fix - Return passwords only in a dedicated SSE event type that the frontend renders in a masked field — never in the LLM's text context - Or provide a "copy to clipboard" mechanism that bypasses the LLM entirely - At minimum, strip the password from the tool result before it goes into `format_tool_result()` and is appended to the message history

sleepy added the

bug

label

2026-06-02 23:41:53 +02:00

sleepy referenced this issue from a commit

2026-06-04 02:09:42 +02:00

[security] Mask vault secrets by default in LLM context (#677)

sleepy closed this issue

2026-06-04 02:11:25 +02:00

sleepy commented

2026-06-04 02:11:29 +02:00

Author