Improper Key Redaction in Apache Airflow by Apache
CVE-2026-42358

Currently unrated

Key Information:

Vendor

Apache
Status
Apache Airflow
Vendor
CVE Published:
1 June 2026

What is CVE-2026-42358?

A vulnerability exists in Apache Airflow's Variable response masker that allows for bypassing nested-key redaction for sensitive information. This occurs when users with read permission access JSON values where nesting depth exceeds the masker's recursion limit. Consequently, plaintext sensitive values such as passwords, tokens, and API keys may be exposed. Although a previous CVE addressed shallower nesting, the depth limit has not been raised, leaving a gap that can be exploited. Affected users are advised to upgrade to Apache Airflow version 3.2.2 or later to mitigate risks associated with this vulnerability.

Affected Version(s)

Apache Airflow 0 < 3.2.2

References

https://github.com/apache/airflow/pull/65912
patch
https://lists.apache.org/thread/33635mv3zjb75wn5453c5yf9t...
vendor-advisory

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Vincent55 (confirmed in original report sign-off)
Aymane MAZGUITI – unclej4ck
Ilyase Dehy – Albert
Jarek Potiuk
.