CVE-2026-45192

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.2.2

Description A bug in the GET '/api/v2/connections/{connection id}' REST API endpoint allows an authenticated UI/API user with Connection-read permission to retrieve secrets stored in a Connection's extra JSON blob. This occurs when secrets are stored under field names not included in the redaction allowlist (DEFAULT SENSITIVE FIELDS), resulting in sensitive data, such as Slack-provider credential field names, being returned in plaintext. This issue affects deployments that store credentials in Connection extra blobs and grant Connection-read access to multiple users.

Recommendations Upgrade to version 3.2.2 or later. Store sensitive credential values in a secret-backend instead of inlining them into the Connection's extra field.