Sensitive Data Exposure in Apache Airflow REST API
CVE-2026-49487

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
7 July 2026

What is CVE-2026-49487?

In Apache Airflow versions before 3.3.0, a vulnerability exists in the REST API task-instance detail and list endpoints. This flaw allows a deferred task's trigger kwargs to be returned without adequate masking, potentially exposing sensitive information, such as secret API keys, to anyone with authenticated access to the DAG-scoped task-instance. As a result, users should upgrade to Apache Airflow 3.3.0 or later, where enhancements have been made to mask sensitive values in the trigger kwargs returned by the API, thereby mitigating the risk of data exposure.

Affected Version(s)

Apache Airflow 0 < 3.3.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Andrew Rukin (Arenadata)
Jarek Potiuk (@potiuk)
.