PT-2026-56176 · Apache · Apache Airflow
Omkhar Arasaratnam
+1
·
Published
2026-07-07
·
Updated
2026-07-07
·
CVE-2026-48828
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Airflow versions prior to 3.3.0
Description
The Bulk Variables API fails to pass the variable's key to the redactor. This prevents the
should hide value for key function from identifying secret-suffixed key names, such as * password, * token, or * secret. Consequently, an authenticated user with bulk Variable read permissions can retrieve plaintext values from JSON-decodable variables that should have been redacted.Recommendations
Upgrade to version 3.3.0 or later.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Airflow