๐Ÿ” CVE Alert

CVE-2026-49487

MEDIUM 6.5

Apache Airflow: Task-instance API exposes secrets in deferred trigger kwargs

CVSS Score
6.5
EPSS Score
0.2%
EPSS Percentile
10th

In Apache Airflow before 3.3.0, the REST API task-instance detail and list endpoints returned a deferred task's trigger kwargs without masking. When a deferred operator passed a secret (for example a provider API key) into its trigger, any authenticated user with DAG-scoped task-instance read access for that DAG could read that secret in clear text while the task was deferred. Users should upgrade to apache-airflow 3.3.0 or later, which masks sensitive values in trigger kwargs returned by the API.

CWE CWE-200
Vendor apache software foundation
Product apache airflow
Published Jul 7, 2026
Last Updated Jul 7, 2026
Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow

Be the first to know when new medium vulnerabilities affecting apache software foundation apache airflow are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow
0 < 3.3.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/apache/airflow/pull/67868 lists.apache.org: https://lists.apache.org/thread/qlw6pozlzlfhkvmbgqsbjlq6vj4v0pc4 openwall.com: http://www.openwall.com/lists/oss-security/2026/07/07/6

Credits

Andrew Rukin (Arenadata) Jarek Potiuk (@potiuk)