Sensitive Data Exposure in Apache Airflow Config API
CVE-2026-48892
Currently unrated
What is CVE-2026-48892?
The Config API in Apache Airflow allows for certain environment variables related to secrets-backend configurations, such as AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID, to be exposed as configuration options. These variables are not included in the sensitive configuration values, leaving them unmasked. This vulnerability permits authenticated users with Config read permissions to access plaintext credentials, potentially leading to unauthorized use of Vault role_id and secret_id. Users are strongly encouraged to upgrade to Apache Airflow v3.3.0 or later to mitigate this issue.
Affected Version(s)
Apache Airflow 0 < 3.3.0