๐Ÿ” CVE Alert

CVE-2026-48892

MEDIUM 6.5

Apache Airflow: Config API leaks per-key secrets backend kwargs - masker bypass on synthetic options

CVSS Score
6.5
EPSS Score
0.2%
EPSS Percentile
10th

The Config API in Apache Airflow surfaced per-key secrets-backend overrides (environment variables like `AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID` and `AIRFLOW__WORKERS__SECRETS_BACKEND_KWARG__SECRET_ID`) as synthetic config options whose option names were not in `sensitive_config_values`, so the masker did not redact them. An authenticated UI/API user with Config read permission could retrieve plaintext secrets-backend credentials (Vault `role_id` / `secret_id`, etc.) from the Config API output. Affects deployments that configure secrets backends via per-key environment overrides. Users are advised to upgrade to `apache-airflow` 3.3.0 or later.

CWE CWE-200
Vendor apache software foundation
Product apache airflow
Published Jul 7, 2026
Last Updated Jul 7, 2026
Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow

Be the first to know when new medium vulnerabilities affecting apache software foundation apache airflow are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow
0 < 3.3.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/apache/airflow/pull/67622 lists.apache.org: https://lists.apache.org/thread/pq5yy40079h6tzh3fxvw28dd8dbk72hk openwall.com: http://www.openwall.com/lists/oss-security/2026/07/07/4

Credits

Omkhar Arasaratnam (@omkhar) Jarek Potiuk