CVE-2026-42358
Variable Masker Bypass in Apache Airflow
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | airflow | From 3.2.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Apache Airflow's Variable response masker, which is responsible for redacting sensitive information such as passwords, tokens, secrets, and API keys in JSON data.
The issue arises because the masker applies a recursion depth limit before checking if a key name is sensitive. When sensitive keys are nested deeper than this recursion limit (default 5 levels), the masker fails to redact them, exposing the plaintext secret values.
An authenticated user with Variable read permission can exploit this to access sensitive values stored in deeply nested JSON Variables, bypassing the intended redaction.
This vulnerability is a residual gap from a previous fix (CVE-2026-32690) that only addressed shallower nesting. The current fix moves the depth cutoff check inside the sensitive key validation to ensure all sensitive keys, regardless of nesting depth, are properly masked.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in Apache Airflow's Variable response masker allows sensitive information such as passwords, tokens, secrets, or API keys nested deeply in JSON variables to be exposed in plaintext to authenticated users with Variable read permission.
Exposure of such sensitive data can lead to non-compliance with common data protection standards and regulations like GDPR and HIPAA, which require proper protection and masking of sensitive information to prevent unauthorized disclosure.
Therefore, deployments affected by this vulnerability risk violating these regulations due to the potential leakage of confidential secrets, which could result in data breaches or unauthorized access.
Upgrading to Apache Airflow version 3.2.2 or later is necessary to mitigate this risk and maintain compliance by ensuring that deeply nested sensitive keys are properly masked.
How can this vulnerability impact me? :
If you use Apache Airflow and store sensitive information such as passwords, tokens, secrets, or API keys inside deeply nested JSON Variables, this vulnerability can expose those secrets in plaintext.
An authenticated user with Variable read permission could harvest these sensitive values because the redaction mechanism fails beyond a certain nesting depth.
This exposure could lead to unauthorized access to critical systems or data, potentially resulting in data breaches or compromise of your infrastructure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves sensitive values nested deeply in JSON Variables being exposed in plaintext via Apache Airflow's UI/API outputs when the nesting depth exceeds the secrets masker's recursion limit.
To detect this vulnerability, you can audit your Apache Airflow Variables for deeply nested JSON structures containing sensitive keys such as "password", "token", "secret", or "api_key".
Since the issue manifests when reading Variables via the UI or API, you can attempt to retrieve Variables with deeply nested sensitive keys using the Airflow CLI or API and check if the sensitive values are masked or exposed in plaintext.
- Use the Airflow CLI to list Variables: `airflow variables get <variable_key>` and inspect the output for unmasked sensitive data.
- Use API calls to fetch Variables with deeply nested sensitive keys and verify if the sensitive values are masked or visible.
There are no specific commands provided in the resources, but focusing on Variables with deeply nested JSON containing sensitive keys and verifying their masking status in outputs is the detection approach.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Apache Airflow to version 3.2.2 or later, which includes the fix for this vulnerability.
This update moves the recursion-depth cutoff check inside the sensitive-key validation block, ensuring that sensitive keys nested beyond the previous recursion limit are properly masked.
Additionally, review your Variables to avoid storing sensitive data in deeply nested JSON structures if possible, as this reduces exposure risk.
Ensure that only authenticated users with appropriate permissions can access Variables, limiting the risk of unauthorized secret harvesting.