Description
A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. nested `password` / `token` / `secret` / `api_key` keys inside a JSON template structure) to be bypassed when the rendered field exceeded `[core] max_templated_field_length`: Airflow stringified the structure before redaction, losing the nested key context, and persisted the plaintext value into `rendered_fields`. An authenticated UI/API user with permission to read rendered template fields could harvest secret values intended to be masked. Affects deployments where Dag authors pass structured JSON to operators with nested sensitive keys. This is a variant of `CWE-200` previously addressed for the user-registered `mask_secret()` patterns in CVE-2025-68438; that fix did not cover the nested sensitive-keyword allowlist. Users who already upgraded for CVE-2025-68438 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the nested-key path.
Published: 2026-06-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Airflow’s handling of rendered‑template fields causes nested sensitive keys such as password, token, secret, or api_key inside a JSON payload to be omitted from the mask_secret() logic when the rendered output exceeds the configured max_templated_field_length. The system converts the entire structure to a string before redaction, stripping the context that identifies the nested keys, and stores the plaintext in the rendered_fields cache. An authenticated user who can read rendered template fields through the Airflow UI or API can therefore retrieve credentials that were intended to remain hidden, constituting a direct leak of confidential information.

Affected Systems

All installations of Apache Airflow before version 3.2.2 that support DAGs containing structured JSON with nested sensitive keys and that allow a user with read permissions to view rendered_template fields. The vulnerability is present regardless of the overall Airflow major release as long as the max_templated_field_length threshold is exceeded; updating to 3.2.2 or later eliminates the flaw.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity. The EPSS score is less than 1%, indicating a very low but non‑zero likelihood of exploitation. The weakness is not listed in CISA's KEV catalog, yet the risk remains significant because it requires legitimate authentication. Any user who has permission to view rendered template fields in the Airflow web interface or API can actively exploit the vulnerability, gaining access to embedded secrets. No publicly documented exploitation technique exists, but the path to disclosure is straightforward and does not require additional external access.

Generated by OpenCVE AI on June 1, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Airflow to version 3.2.2 or newer to fix nested sensitive-key masking.
  • Limit access to rendered_template fields by adjusting user permissions, ensuring only trusted users can read them.
  • Clear existing rendered_fields cache or restart Airflow components to remove any exposed plaintext secrets.

Generated by OpenCVE AI on June 1, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

Mon, 01 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow
Vendors & Products Apache
Apache airflow

Mon, 01 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. nested `password` / `token` / `secret` / `api_key` keys inside a JSON template structure) to be bypassed when the rendered field exceeded `[core] max_templated_field_length`: Airflow stringified the structure before redaction, losing the nested key context, and persisted the plaintext value into `rendered_fields`. An authenticated UI/API user with permission to read rendered template fields could harvest secret values intended to be masked. Affects deployments where Dag authors pass structured JSON to operators with nested sensitive keys. This is a variant of `CWE-200` previously addressed for the user-registered `mask_secret()` patterns in CVE-2025-68438; that fix did not cover the nested sensitive-keyword allowlist. Users who already upgraded for CVE-2025-68438 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the nested-key path.
Title Apache Airflow: Rendered template truncation bypasses nested sensitive-key masking
Weaknesses CWE-200
References

Subscriptions

Apache Airflow
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-01T13:55:34.712Z

Reserved: 2026-04-26T19:48:31.553Z

Link: CVE-2026-42360

cve-icon Vulnrichment

Updated: 2026-06-01T13:55:30.859Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T09:16:19.033

Modified: 2026-06-01T17:06:22.257

Link: CVE-2026-42360

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T16:30:06Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor