3.7

CVE-2026-32690

EPSS 0.1%
Veröffentlicht 18.04.2026 06:22:26
Zuletzt bearbeitet 21.04.2026 14:41:08
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1

Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked.

If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Airflow Version >= 3.0.0 < 3.2.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.1%	0.273

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	3.7	2.2	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

https://github.com/apache/airflow/pull/63480

Issue Tracking

https://lists.apache.org/thread/7rnzxofntcznqxnhsmjvvlvygwph7rn5

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2026/04/17/6

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2026-32690

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-32690

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-32690

EUVD