SQL Error Exposure in Apache Airflow
CVE-2026-30912

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 18 April 2026

What is CVE-2026-30912?

A vulnerability in Apache Airflow allows the exposure of SQL errors, including exception and stack trace information through the API, even with the 'api/expose_stack_traces' configuration set to false. This exposure could provide potential attackers with significant insights that may be leveraged for further exploitation. Users are urged to update to Apache Airflow version 3.2.0 or later to mitigate this issue.

Affected Version(s)

Apache Airflow 0 < 3.2.0

References

https://github.com/apache/airflow/pull/63028

patch

https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 18, 2026
Vulnerability Reserved
Mar 7, 2026

Credit

Masamune - Unit515 OPSWAT

Jason(Zhe-You) Liu

CVE-2026-30912 Data

JSON