PT-2026-56178 · Apache · Apache Airflow

Jarek Potiuk

+1

·

Published

2026-07-07

·

Updated

2026-07-07

·

CVE-2026-48892

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.3.0
Description The Config API exposes per-key secrets-backend overrides, such as environment variables AIRFLOW SECRETS BACKEND KWARG SECRET ID and AIRFLOW WORKERS SECRETS BACKEND KWARG SECRET ID, as synthetic config options. Because these option names are not included in sensitive config values, the masker fails to redact them. Consequently, an authenticated UI or API user with Config read permission can retrieve plaintext secrets-backend credentials, including Vault role id and secret id, from the Config API output.
Recommendations Upgrade to apache-airflow version 3.3.0 or later.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-48892

Affected Products

Apache Airflow