Nested Key Masking Vulnerability in Apache Airflow
CVE-2026-42360

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-42360?

A vulnerability in Apache Airflow allows sensitive information such as passwords, tokens, and API keys to be exposed when the rendered-template field exceeds a specified length. This issue arises from improper handling of nested sensitive keys within JSON structures. Specifically, the software stringifies the template before masking sensitive information, leading to a loss of context for nested keys and the potential exposure of plaintext secrets. Authenticated users with access to the UI or API can exploit this flaw to retrieve sensitive data. Users are advised to upgrade to Apache Airflow version 3.2.2 or later to mitigate this risk.

Affected Version(s)

Apache Airflow 0 < 3.2.2

References

https://github.com/apache/airflow/pull/65906

patch

https://lists.apache.org/thread/obj79bpxnl7r5olz1gsn0g94y...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
Apr 26, 2026

Credit

Vincent55

Jarek Potiuk

CVE-2026-42360 Data

JSON