Description
The Config API in Apache Airflow surfaced per-key secrets-backend overrides (environment variables like `AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID` and `AIRFLOW__WORKERS__SECRETS_BACKEND_KWARG__SECRET_ID`) as synthetic config options whose option names were not in `sensitive_config_values`, so the masker did not redact them. An authenticated UI/API user with Config read permission could retrieve plaintext secrets-backend credentials (Vault `role_id` / `secret_id`, etc.) from the Config API output. Affects deployments that configure secrets backends via per-key environment overrides. Users are advised to upgrade to `apache-airflow` 3.3.0 or later.
Published:
2026-07-07
Score:
n/a
EPSS:
< 1% Very Low
KEV:
No
Impact:
n/a
Action:
n/a
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Tue, 07 Jul 2026 10:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Config API in Apache Airflow surfaced per-key secrets-backend overrides (environment variables like `AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID` and `AIRFLOW__WORKERS__SECRETS_BACKEND_KWARG__SECRET_ID`) as synthetic config options whose option names were not in `sensitive_config_values`, so the masker did not redact them. An authenticated UI/API user with Config read permission could retrieve plaintext secrets-backend credentials (Vault `role_id` / `secret_id`, etc.) from the Config API output. Affects deployments that configure secrets backends via per-key environment overrides. Users are advised to upgrade to `apache-airflow` 3.3.0 or later. | |
| Title | Apache Airflow: Config API leaks per-key secrets backend kwargs - masker bypass on synthetic options | |
| Weaknesses | CWE-200 | |
| References |
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: apache
Published:
Updated: 2026-07-07T13:23:08.572Z
Reserved: 2026-05-26T01:39:22.505Z
Link: CVE-2026-48892
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor