Team-Scoped Secret Exposure in Apache Airflow Providers for AWS
CVE-2026-42526

5.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Airflow Amazon Provider
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-42526?

In versions prior to 9.28.0 of the Apache Airflow AWS provider, an issue existed where the team-scoping logic could misinterpret connection IDs containing a '/' delimiter. This oversight enabled privileged users to access another team's secrets by crafting colliding connection IDs without the necessary team context. The vulnerability impacts the multi-tenant teams feature and has been addressed in version 9.28.0 through changes to the team-scope separator and policy adjustments for connection IDs without proper team context. Users are strongly urged to update to the latest version to safeguard their systems.

Affected Version(s)

Apache Airflow Amazon provider 0 < 9.28.0

References

https://github.com/apache/airflow/pull/65703

patch

https://lists.apache.org/thread/0092sz5g520d3qqjb01wd61my...

vendor-advisory

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
Apr 28, 2026

Credit

Justin Pakzad

CVE-2026-42526 Data

JSON