๐Ÿ” CVE Alert

CVE-2026-48828

MEDIUM 6.5

Apache Airflow: Bulk JSON Variables bypass should_hide_value_for_key - redact() called without the key

CVSS Score
6.5
EPSS Score
0.2%
EPSS Percentile
10th

The Bulk Variables API in Apache Airflow called the redactor without passing the variable's key, so the key-based `should_hide_value_for_key` check (which triggers on secret-suffixed key names like `*_password` / `*_token` / `*_secret`) could not fire for JSON-decodable variable values. An authenticated UI/API user with bulk Variable read permission could retrieve plaintext values from JSON variables whose key would otherwise trigger redaction. Affects deployments that store sensitive values in JSON-typed Airflow Variables under secret-suffixed key names. Users are advised to upgrade to `apache-airflow` 3.3.0 or later (the fix landed on `main` after 3.2.2; no 3.2.x backport).

CWE CWE-200
Vendor apache software foundation
Product apache airflow
Published Jul 7, 2026
Last Updated Jul 7, 2026
Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow

Be the first to know when new medium vulnerabilities affecting apache software foundation apache airflow are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow
0 < 3.3.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/apache/airflow/pull/67495 lists.apache.org: https://lists.apache.org/thread/y9kf314t6dhnv994hr11wj3tbow847yc openwall.com: http://www.openwall.com/lists/oss-security/2026/07/07/2

Credits

Omkhar Arasaratnam (@omkhar) Shubham Raj (@shubhamraj-git)