Description
Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked.

If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented
Published: 2026-04-18
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Apply Patch
AI Analysis

Impact

A flaw in Apache Airflow 3.x allows secrets stored as JSON dictionaries within Variables to bypass the redaction mechanism when the variable is retrieved, exposing nested secret values. The vulnerability stems from the redaction logic limiting its depth to a single level, leaving deeper layers unmasked. This can lead to sensitive credentials being disclosed to any user or process that fetches the variable, undermining confidentiality safeguards.

Affected Systems

Apache Airflow versions 3.x before 3.2.0 are impacted when variables contain nested secret values in JSON form. Airflow installations that do not store sensitive data this way are not affected. No specific patch level is listed in the CNA data beyond the note that upgrading to 3.2.0 removes the issue.

Risk and Exploitability

The vulnerability, classified under CWE-668, has a low confidentiality risk as reflected by its CVSS score of 3.7. Its EPSS score is less than 1%, indicating a very low probability of exploitation, and it is not listed in the CISA KEV catalog. The attack vector likely involves a maliciously or inadvertently privileged user retrieving variables via the Airflow UI or REST API; no network or privilege escalation is required beyond that access level.

Generated by OpenCVE AI on April 20, 2026 at 18:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Airflow to version 3.2.0 or later that includes the redaction fix.
  • Avoid storing sensitive values in nested JSON fields within Variables; use flat key/value pairs instead.
  • Delete or cleanse existing Variables that contain sensitive data stored as JSON so that they are not exposed during retrieval.

Generated by OpenCVE AI on April 20, 2026 at 18:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w9r4-94fj-xp69 Apache Airflow Exposes Secrets in Variables Saved as JSON Dictionaries
History

Tue, 21 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

Mon, 20 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow
Vendors & Products Apache
Apache airflow

Sat, 18 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
References

Sat, 18 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Description Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented
Title Apache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1
Weaknesses CWE-668
References

Subscriptions

Apache Airflow
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-20T16:11:33.956Z

Reserved: 2026-03-13T10:53:28.309Z

Link: CVE-2026-32690

cve-icon Vulnrichment

Updated: 2026-04-18T06:29:00.682Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-18T07:16:10.683

Modified: 2026-04-21T14:41:08.253

Link: CVE-2026-32690

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:45:14Z

Weaknesses