CVE-2026-49487
Apache Airflow: Task-instance API exposes secrets in deferred trigger kwargs
CVSS Score
6.5
EPSS Score
0.2%
EPSS Percentile
10th
In Apache Airflow before 3.3.0, the REST API task-instance detail and list endpoints returned a deferred task's trigger kwargs without masking. When a deferred operator passed a secret (for example a provider API key) into its trigger, any authenticated user with DAG-scoped task-instance read access for that DAG could read that secret in clear text while the task was deferred. Users should upgrade to apache-airflow 3.3.0 or later, which masks sensitive values in trigger kwargs returned by the API.
| CWE | CWE-200 |
| Vendor | apache software foundation |
| Product | apache airflow |
| Published | Jul 7, 2026 |
| Last Updated | Jul 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for apache software foundation apache airflow
Be the first to know when new medium vulnerabilities affecting apache software foundation apache airflow are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Apache Software Foundation / Apache Airflow
0 < 3.3.0
References
Credits
Andrew Rukin (Arenadata) Jarek Potiuk (@potiuk)