Bulk Variables API Vulnerability in Apache Airflow
CVE-2026-48828
Currently unrated
What is CVE-2026-48828?
A vulnerability exists in the Bulk Variables API of Apache Airflow, where the redaction process fails to activate for certain JSON-encoded variables. When the key for a variable is not passed, the security measure that would normally prevent plaintext secrets from being disclosed does not trigger. This can allow authenticated users with permissions to read bulk variables to access sensitive information stored in JSON format under specific key patterns, such as *password, *token, or *secret. It is critical for users to upgrade to version 3.3.0 or later to mitigate this risk.
Affected Version(s)
Apache Airflow 0 < 3.3.0