PT-2026-56176 · Apache · Apache Airflow

Omkhar Arasaratnam

+1

·

Published

2026-07-07

·

Updated

2026-07-07

·

CVE-2026-48828

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.3.0
Description The Bulk Variables API fails to pass the variable's key to the redactor. This prevents the should hide value for key function from identifying secret-suffixed key names, such as * password, * token, or * secret. Consequently, an authenticated user with bulk Variable read permissions can retrieve plaintext values from JSON-decodable variables that should have been redacted.
Recommendations Upgrade to version 3.3.0 or later.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-48828

Affected Products

Apache Airflow