CVE-2026-32690
Received Received - Intake
Improper Secret Redaction in Apache Airflow JSON Variables

Publication date: 2026-04-18

Last updated on: 2026-04-21

Assigner: Apache Software Foundation

Description
Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-18
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32690
EUVD
EUVD-2026-23666
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache airflow From 3.0.0 (inc) to 3.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves secrets stored in variables as JSON dictionaries not being properly redacted. Specifically, when these variables are retrieved by a user, the secrets stored as nested fields within the JSON were not masked, potentially exposing sensitive information.

Impact Analysis

If you store sensitive values in variables using JSON format, this vulnerability could lead to exposure of those secrets when the variables are accessed, as the nested secret fields are not masked. This could result in unauthorized disclosure of sensitive information.

If you do not store variables with sensitive values in JSON form, you are not affected by this vulnerability.

Mitigation Strategies

If you do not store variables with sensitive values in JSON form, you are not affected.

Otherwise, please upgrade to Apache Airflow 3.2.0 which contains the fix for this vulnerability.

Compliance Impact

This vulnerability involves secrets stored in JSON variables not being properly redacted, which means sensitive information could be exposed if those variables are retrieved by users.

Exposure of sensitive data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require proper handling and protection of sensitive information.

Therefore, if sensitive data is stored in JSON variables in Apache Airflow versions prior to 3.2.0, this vulnerability could result in violations of these standards due to inadequate masking of secrets.

Upgrading to Apache Airflow 3.2.0, where the fix is implemented, is recommended to maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32690. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart