CVE-2026-42526
Awaiting Analysis Awaiting Analysis - Queue
Path Traversal in Apache Airflow Amazon Provider

Publication date: 2026-05-19

Last updated on: 2026-05-19

Assigner: Apache Software Foundation

Description
In the AWS Secrets Manager and SSM Parameter Store secrets backends of `apache-airflow-providers-amazon` prior to 9.28.0, the team-scoping logic could resolve a `conn_id` containing a `/` (e.g. `"my_team/conn"`) to the same path as another team's team-scoped secret when the caller had no team context. A privileged caller without team context could therefore retrieve another team's secret by crafting a colliding `conn_id`. Fixed in 9.28.0 by switching the team-scope separator to `--` and rejecting team-shaped `conn_id`s when team context is absent. Affects the experimental multi-tenant teams feature only. Users are recommended to upgrade to `apache-airflow-providers-amazon` 9.28.0, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-42526
EUVD
EUVD-2026-30974
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache apache_airflow_providers_amazon to 9.28.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the AWS Secrets Manager and SSM Parameter Store secrets backends of the apache-airflow-providers-amazon package prior to version 9.28.0. The issue arises from the team-scoping logic that could incorrectly resolve a connection identifier (conn_id) containing a slash (e.g., "my_team/conn") to the same secret path as another team's team-scoped secret when the caller had no team context.

As a result, a privileged caller without team context could craft a specially formatted conn_id to retrieve secrets belonging to another team. The vulnerability affects only the experimental multi-tenant teams feature.

The issue was fixed in version 9.28.0 by changing the team-scope separator from "/" to "--" and rejecting team-shaped conn_ids when no team context is present, thereby preventing unauthorized secret access.

Impact Analysis

This vulnerability can allow a privileged user without proper team context to access secrets belonging to other teams by crafting a colliding connection identifier.

Such unauthorized access to secrets could lead to exposure of sensitive information, potentially compromising security boundaries between teams in a multi-tenant environment.

This could result in data leaks, unauthorized actions, or further exploitation depending on the nature of the secrets accessed.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade the apache-airflow-providers-amazon package to version 9.28.0 or later, which contains the fix.

The fix changes the team-scope separator from '/' to '--' and rejects team-shaped conn_id values when no team context is present, preventing unauthorized access to other teams' secrets.

Additionally, reviewing and restricting privileged caller access to ensure they have appropriate team context can help reduce risk.

Compliance Impact

This vulnerability allows a privileged caller without proper team context to access another team's secrets by exploiting the team-scoping logic in Apache Airflow's AWS Secrets Manager and SSM Parameter Store backends. Such unauthorized access to sensitive secrets could lead to exposure of confidential information.

Exposure of sensitive secrets may impact compliance with data protection standards and regulations such as GDPR and HIPAA, which require strict controls on access to sensitive data and secrets. Unauthorized access could result in violations of confidentiality and data protection requirements.

The issue affects only the experimental multi-tenant teams feature and was fixed in version 9.28.0 by changing the team-scope separator and rejecting team-shaped connection IDs when team context is absent, thereby improving access control and reducing the risk of secret exposure.

Users are recommended to upgrade to apache-airflow-providers-amazon 9.28.0 or later to mitigate this risk and help maintain compliance with relevant security standards.

Detection Guidance

This vulnerability involves unauthorized access to team-scoped secrets by exploiting the team-scoping logic in Apache Airflow's AWS Secrets Manager and SSM Parameter Store backends. Detection would focus on identifying usage of vulnerable versions of the apache-airflow-providers-amazon package (prior to 9.28.0) and monitoring for suspicious access patterns involving conn_id values containing a slash ("/") or team-shaped patterns.

Since the vulnerability is related to how conn_id values are resolved, you can detect potential exploitation attempts by searching logs or monitoring API calls for conn_id parameters that contain slashes or team-shaped patterns (e.g., "my_team/conn" or "my_team--conn") when no team context is present.

Suggested commands to help detect this vulnerability include:

  • Check the installed version of apache-airflow-providers-amazon to confirm if it is older than 9.28.0: `pip show apache-airflow-providers-amazon`
  • Search Airflow logs or audit logs for suspicious conn_id patterns containing slashes or double hyphens, for example using grep: `grep -rE 'conn_id.*[\/]' /path/to/airflow/logs`
  • Monitor AWS Secrets Manager and SSM Parameter Store access logs for requests with conn_id parameters that include team-shaped patterns without proper team context.

Ultimately, upgrading to apache-airflow-providers-amazon version 9.28.0 or later is the recommended mitigation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42526. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart