Bulk Variables API Vulnerability in Apache Airflow
CVE-2026-48828

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
7 July 2026

What is CVE-2026-48828?

A vulnerability exists in the Bulk Variables API of Apache Airflow, where the redaction process fails to activate for certain JSON-encoded variables. When the key for a variable is not passed, the security measure that would normally prevent plaintext secrets from being disclosed does not trigger. This can allow authenticated users with permissions to read bulk variables to access sensitive information stored in JSON format under specific key patterns, such as *password, *token, or *secret. It is critical for users to upgrade to version 3.3.0 or later to mitigate this risk.

Affected Version(s)

Apache Airflow 0 < 3.3.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Omkhar Arasaratnam (@omkhar)
Shubham Raj (@shubhamraj-git)
.