CVE-2026-42360

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.2.2

Description A bug in the rendered-template field handling allows the bypass of nested sensitive-key masking. When a rendered field exceeds the [core] max templated field length limit, the software stringifies the structure before redaction, which removes the nested key context and results in plaintext values being persisted into rendered fields. This affects deployments where DAG authors pass structured JSON to operators containing nested sensitive keys such as password, token, secret, or api key. An authenticated UI or API user with permissions to read rendered template fields can harvest these secret values.

Recommendations Update to version 3.2.2 or later.