Sensitive Data Exposure in Apache Airflow API Endpoint
CVE-2026-45192

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-45192?

A vulnerability in the Apache Airflow REST API's GET /api/v2/connections/{connection_id} endpoint enables unauthorized users with Connection-read permission to access sensitive information stored in a Connection's extra JSON field. The issue arises when field names that are not included in the redaction allowlist (DEFAULT_SENSITIVE_FIELDS) are returned in plaintext, potentially exposing secrets such as official Slack-provider credentials. This vulnerability affects installations that store credentials within these Connection extra blobs and allow multiple users read access. Users are encouraged to update to Apache Airflow version 3.2.2 or later. As a best practice, it is advised to store sensitive credential information in a secret-backend instead of inlined into the Connection's extra field.

Affected Version(s)

Apache Airflow 0 < 3.2.2

References

https://github.com/apache/airflow/pull/66673

patch

https://lists.apache.org/thread/r2q93dg2wp5h9sd9vh6y4y5lj...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
May 10, 2026

Credit

Or Sahar, Secure From Scratch

Jarek Potiuk (@potiuk)

CVE-2026-45192 Data

JSON