PT-2026-56180 · Apache · Apache Airflow
Andrew Rukin
+1
·
Published
2026-07-07
·
Updated
2026-07-07
·
CVE-2026-49487
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Airflow versions prior to 3.3.0
Description
The REST API task-instance detail and list endpoints return a deferred task's trigger kwargs without masking. This allows any authenticated user with DAG-scoped task-instance read access to view sensitive information, such as provider API keys, in clear text while the task is deferred.
Recommendations
Upgrade to version 3.3.0 or later.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Airflow