Description
A bug in Apache Airflow's Variable response masker caused nested-key redaction (triggered by secret-suffixed key names like `password`, `token`, `secret`, `api_key`) to be bypassed when the JSON value's nesting depth exceeded the shared secrets masker's recursion limit: the masker returned the original nested item before checking the sensitive key name. An authenticated UI/API user with Variable read permission could harvest plaintext secret values stored under sensitive keys nested deep enough to exceed the masker's depth cap. Affects deployments that store sensitive values inside deeply-nested JSON Variables. This is a residual gap in the fix for CVE-2026-32690 (which covered shallower nesting via `max_depth=1`); the depth-limit boundary itself was not raised, so the same key-name bypass pattern reappears beyond the recursion cap. Users who already upgraded for CVE-2026-32690 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the deep-nesting path.
Published: 2026-06-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A bug in the Apache Airflow Variable response masker allows an authenticated UI/API user with Variable read permission to view nested secret values in cleartext when the JSON depth exceeds the masker's recursion limit. The vulnerability occurs because the masker returns the original nested item before checking whether the key name is sensitive. The key‑name bypass pattern that was partially fixed for a shallower nesting depth in the prior CVE now reappears beyond the recursion cap, enabling disclosure of protected data stored under keys like "password", "token", or "secret". The flaw is a CWE-200 vulnerability, exposing confidential information; the impact is limited to confidentiality loss with no code execution or state modification possible.

Affected Systems

Apache Airflow deployments that use the Variable UI/API to store sensitive values in deeply nested JSON structures are affected. Versions prior to Apache Airflow 3.2.2—including those that were patched for CVE-2026-32690 but have not been upgraded to cover this depth‑limit bypass—remain vulnerable.

Risk and Exploitability

Based on the description, it is inferred that the attack vector is internal. The CVSS score is 6.5, and the EPSS score is < 1%, but the lack of anonymous exploitation and the need for read permissions suggest a moderate risk of secret disclosure. The vulnerability is not listed in the CISA KEV catalog, indicating no known active exploitation at the time of publication. However, any entity that has exposed sensitive information via deeply nested Variables could experience a significant confidentiality breach if an attacker gains or already possesses Variable read access.

Generated by OpenCVE AI on June 1, 2026 at 18:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Airflow to version 3.2.2 or later, which raises the masker's depth limit and closes the bypass.
  • Restrict Variable read permissions to only trusted administrators and audit Variable access logs for unusual activity.
  • For environments that cannot upgrade immediately, avoid storing sensitive data in JSON Variables deeper than the configured recursion limit or move secrets to an external secret manager separate from the Airflow Variable store.

Generated by OpenCVE AI on June 1, 2026 at 18:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Mon, 01 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow
Vendors & Products Apache
Apache airflow

Mon, 01 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description A bug in Apache Airflow's Variable response masker caused nested-key redaction (triggered by secret-suffixed key names like `password`, `token`, `secret`, `api_key`) to be bypassed when the JSON value's nesting depth exceeded the shared secrets masker's recursion limit: the masker returned the original nested item before checking the sensitive key name. An authenticated UI/API user with Variable read permission could harvest plaintext secret values stored under sensitive keys nested deep enough to exceed the masker's depth cap. Affects deployments that store sensitive values inside deeply-nested JSON Variables. This is a residual gap in the fix for CVE-2026-32690 (which covered shallower nesting via `max_depth=1`); the depth-limit boundary itself was not raised, so the same key-name bypass pattern reappears beyond the recursion cap. Users who already upgraded for CVE-2026-32690 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the deep-nesting path.
Title Apache Airflow: Variable masker depth-limit bypass returns cleartext nested secrets
Weaknesses CWE-200
References

Subscriptions

Apache Airflow
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-02T16:43:21.038Z

Reserved: 2026-04-26T17:13:44.915Z

Link: CVE-2026-42358

cve-icon Vulnrichment

Updated: 2026-06-02T16:04:25.575Z

cve-icon NVD

Status : Modified

Published: 2026-06-01T09:16:18.790

Modified: 2026-06-02T17:16:32.433

Link: CVE-2026-42358

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T18:45:34Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor