PT-2026-56180 · Apache · Apache Airflow

Andrew Rukin

+1

·

Published

2026-07-07

·

Updated

2026-07-07

·

CVE-2026-49487

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.3.0
Description The REST API task-instance detail and list endpoints return a deferred task's trigger kwargs without masking. This allows any authenticated user with DAG-scoped task-instance read access to view sensitive information, such as provider API keys, in clear text while the task is deferred.
Recommendations Upgrade to version 3.3.0 or later.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-49487

Affected Products

Apache Airflow