PT-2026-56178 · Apache · Apache Airflow
Jarek Potiuk
+1
·
Published
2026-07-07
·
Updated
2026-07-07
·
CVE-2026-48892
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Airflow versions prior to 3.3.0
Description
The Config API exposes per-key secrets-backend overrides, such as environment variables
AIRFLOW SECRETS BACKEND KWARG SECRET ID and AIRFLOW WORKERS SECRETS BACKEND KWARG SECRET ID, as synthetic config options. Because these option names are not included in sensitive config values, the masker fails to redact them. Consequently, an authenticated UI or API user with Config read permission can retrieve plaintext secrets-backend credentials, including Vault role id and secret id, from the Config API output.Recommendations
Upgrade to apache-airflow version 3.3.0 or later.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Airflow