Improper Redaction in Apache Airflow Leading to Exposure of Sensitive Information
CVE-2026-32690

3.7LOW

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 18 April 2026

What is CVE-2026-32690?

Sensitive data stored in JSON dictionaries within Apache Airflow may be exposed due to inadequate redaction mechanisms. If users retrieve variables that contain nested secret fields, these secrets remain visible since they are not masked properly. Organizations that utilize Apache Airflow for orchestration and workflow management should ensure they are using version 3.2.0 or later, which addresses this flaw. If sensitive values are stored in JSON format, it is crucial to update to the latest version to safeguard against potential data leaks.

Affected Version(s)

Apache Airflow 3.0.0 < 3.2.0

References

https://github.com/apache/airflow/pull/63480

patch

https://lists.apache.org/thread/7rnzxofntcznqxnhsmjvvlvyg...

vendor-advisory

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 18, 2026
Vulnerability Reserved
Mar 13, 2026

Credit

Nguyen Anh Binh [IA Lab – FPT University]

Kevin Yang

CVE-2026-32690 Data

JSON