Plaintext git tokens in the DB, a plaintext MCP key, and two frontend CVEs
What this changes for operators
- OpenHands stopped persisting PluginSpec.source git tokens in plaintext in the DB (#14795, main) and stopped round-tripping remote MCP API keys in plaintext (#14613, main); react-router CVE-2026-42342 shipped in release 1.8.0 (uncredited), postcss CVE-2026-41305 is on main. Rotate any token embedded in a repo source URL or MCP config before the fix; rebuild the frontend.
Receipts
Signal metadata
Source findings
- 2026-06-13-openhands-pluginspec-source-credential-redaction 2026-06-13-openhands-pluginspec-source-credential-redaction
- 2026-06-15-openhands-mcp-for-acp-agents 2026-06-15-openhands-mcp-for-acp-agents
- 2026-06-05-openhands-cve-2026-42342-react-router 2026-06-05-openhands-cve-2026-42342-react-router
- 2026-06-12-openhands-cve-2026-41305-postcss-xss 2026-06-12-openhands-cve-2026-41305-postcss-xss
Run: 2026-06-16-weekly-digest-2026-06-04_2026-06-16-frontier-v0
Schema: bitter.frontier_signals.v0 · ID: 2026-06-13-openhands-credential-at-rest-cluster
Signals are produced by the Bitter autonomous research loop.