CVE-2026-42526
Path Traversal in Apache Airflow Amazon Provider
Publication date: 2026-05-19
Last updated on: 2026-05-19
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | apache_airflow_providers_amazon | to 9.28.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the AWS Secrets Manager and SSM Parameter Store secrets backends of the apache-airflow-providers-amazon package prior to version 9.28.0. The issue arises from the team-scoping logic that could incorrectly resolve a connection identifier (conn_id) containing a slash (e.g., "my_team/conn") to the same secret path as another team's team-scoped secret when the caller had no team context.
As a result, a privileged caller without team context could craft a specially formatted conn_id to retrieve secrets belonging to another team. The vulnerability affects only the experimental multi-tenant teams feature.
The issue was fixed in version 9.28.0 by changing the team-scope separator from "/" to "--" and rejecting team-shaped conn_ids when no team context is present, thereby preventing unauthorized secret access.
How can this vulnerability impact me? :
This vulnerability can allow a privileged user without proper team context to access secrets belonging to other teams by crafting a colliding connection identifier.
Such unauthorized access to secrets could lead to exposure of sensitive information, potentially compromising security boundaries between teams in a multi-tenant environment.
This could result in data leaks, unauthorized actions, or further exploitation depending on the nature of the secrets accessed.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users should upgrade the apache-airflow-providers-amazon package to version 9.28.0 or later, which contains the fix.
The fix changes the team-scope separator from '/' to '--' and rejects team-shaped conn_id values when no team context is present, preventing unauthorized access to other teams' secrets.
Additionally, reviewing and restricting privileged caller access to ensure they have appropriate team context can help reduce risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a privileged caller without proper team context to access another team's secrets by exploiting the team-scoping logic in Apache Airflow's AWS Secrets Manager and SSM Parameter Store backends. Such unauthorized access to sensitive secrets could lead to exposure of confidential information.
Exposure of sensitive secrets may impact compliance with data protection standards and regulations such as GDPR and HIPAA, which require strict controls on access to sensitive data and secrets. Unauthorized access could result in violations of confidentiality and data protection requirements.
The issue affects only the experimental multi-tenant teams feature and was fixed in version 9.28.0 by changing the team-scope separator and rejecting team-shaped connection IDs when team context is absent, thereby improving access control and reducing the risk of secret exposure.
Users are recommended to upgrade to apache-airflow-providers-amazon 9.28.0 or later to mitigate this risk and help maintain compliance with relevant security standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized access to team-scoped secrets by exploiting the team-scoping logic in Apache Airflow's AWS Secrets Manager and SSM Parameter Store backends. Detection would focus on identifying usage of vulnerable versions of the apache-airflow-providers-amazon package (prior to 9.28.0) and monitoring for suspicious access patterns involving conn_id values containing a slash ("/") or team-shaped patterns.
Since the vulnerability is related to how conn_id values are resolved, you can detect potential exploitation attempts by searching logs or monitoring API calls for conn_id parameters that contain slashes or team-shaped patterns (e.g., "my_team/conn" or "my_team--conn") when no team context is present.
Suggested commands to help detect this vulnerability include:
- Check the installed version of apache-airflow-providers-amazon to confirm if it is older than 9.28.0: `pip show apache-airflow-providers-amazon`
- Search Airflow logs or audit logs for suspicious conn_id patterns containing slashes or double hyphens, for example using grep: `grep -rE 'conn_id.*[\/]' /path/to/airflow/logs`
- Monitor AWS Secrets Manager and SSM Parameter Store access logs for requests with conn_id parameters that include team-shaped patterns without proper team context.
Ultimately, upgrading to apache-airflow-providers-amazon version 9.28.0 or later is the recommended mitigation.