CVE-2026-30912
Received Received - Intake
Information Disclosure via SQL Error Stack Trace in Apache Airflow API

Publication date: 2026-04-18

Last updated on: 2026-04-21

Assigner: Apache Software Foundation

Description
In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-18
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30912
EUVD
EUVD-2026-23662
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache airflow to 3.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs when SQL errors cause exception or stack trace information to be exposed through the API, even if the configuration setting "api/expose_stack_traces" is set to false.

This unintended exposure can reveal additional internal information about the system to potential attackers.

The issue affects Apache Airflow and is fixed in version 3.2.0.

Impact Analysis

The vulnerability can lead to the exposure of sensitive internal information through error messages and stack traces.

Attackers could use this information to better understand the system, potentially aiding in further attacks or exploitation.

Mitigation Strategies

Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue of exposing exception/stack trace errors in the API even when the "api/expose_stack_traces" setting is false.

Compliance Impact

The vulnerability causes SQL error stack traces to be exposed via the API even when the configuration to hide them is enabled. This exposure of additional information could potentially lead to unauthorized access or data leakage.

Such unintended information disclosure may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of information leakage.

Users are recommended to upgrade to Apache Airflow 3.2.0 to fix this issue and reduce the risk of non-compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30912. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart