CVE-2026-42360
Analyzed Analyzed - Analysis Complete
Authentication Bypass in Apache Airflow via Nested Secret Masking

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: Apache Software Foundation

Description
A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. nested `password` / `token` / `secret` / `api_key` keys inside a JSON template structure) to be bypassed when the rendered field exceeded `[core] max_templated_field_length`: Airflow stringified the structure before redaction, losing the nested key context, and persisted the plaintext value into `rendered_fields`. An authenticated UI/API user with permission to read rendered template fields could harvest secret values intended to be masked. Affects deployments where Dag authors pass structured JSON to operators with nested sensitive keys. This is a variant of `CWE-200` previously addressed for the user-registered `mask_secret()` patterns in CVE-2025-68438; that fix did not cover the nested sensitive-keyword allowlist. Users who already upgraded for CVE-2025-68438 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the nested-key path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-42360
EUVD
EUVD-2026-33590
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache airflow to 3.2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Apache Airflow occurs because the system converts structured JSON data containing nested sensitive keys (like password, token, secret, api_key) into a string before applying redaction. When the rendered template field exceeds a configured maximum length, this stringification causes the loss of context needed to mask these nested sensitive keys properly.

As a result, sensitive information inside nested structures can be exposed in plaintext in the rendered_fields, allowing authenticated users with permission to read these fields to access secrets that should have been masked.

The issue is a variant of CWE-200 (Information Exposure) and affects deployments where DAG authors pass structured JSON with nested sensitive keys to operators. The fix involves applying redaction to the structured data before converting it to a string, preserving the masking of nested sensitive keys even when the field is oversized.

Impact Analysis

This vulnerability can lead to the exposure of sensitive information such as passwords, tokens, secrets, and API keys within Apache Airflow's rendered template fields.

An authenticated user with permission to read rendered template fields could harvest these secret values that were intended to be masked, potentially leading to unauthorized access or misuse of sensitive credentials.

This exposure increases the risk of security breaches, data leaks, and compromise of systems or services that rely on these secrets.

Detection Guidance

This vulnerability involves the exposure of sensitive information in Apache Airflow's rendered template fields when nested sensitive keys exceed the configured maximum length limit. Detection involves checking if any rendered template fields contain unmasked sensitive data such as passwords, tokens, secrets, or API keys.

Since the issue arises when rendered fields exceed the [core] max_templated_field_length and the nested sensitive keys are not properly masked, you can audit Airflow's metadata database or logs for rendered_fields entries containing plaintext sensitive values.

Specific commands are not provided in the available resources, but a general approach could include querying the Airflow metadata database for rendered template fields containing common sensitive keywords in plaintext, for example using SQL queries or scripts to search for patterns like 'password', 'token', 'secret', or 'api_key' in the rendered_fields column.

Mitigation Strategies

The immediate mitigation step is to upgrade Apache Airflow to version 3.2.2 or later, which includes the fix for this vulnerability.

This update modifies the serialization process to apply redaction to structured data before stringification, preserving nested-key context and ensuring sensitive information is properly masked even when the rendered field exceeds the maximum length.

Additionally, ensure that only authenticated users with appropriate permissions can access rendered template fields in the UI or API to reduce the risk of unauthorized secret harvesting.

Compliance Impact

This vulnerability in Apache Airflow allows nested sensitive information such as passwords, tokens, secrets, and API keys to be exposed in rendered template fields when those fields exceed a configured maximum length. Because sensitive data intended to be masked can be persisted in plaintext and accessed by authenticated users with permission to read rendered template fields, this could lead to unauthorized disclosure of confidential information.

Exposure of such sensitive data can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require proper handling and protection of sensitive information to prevent unauthorized access and data breaches.

Therefore, organizations using affected versions of Apache Airflow may face increased risk of non-compliance with these regulations if the vulnerability is not addressed by upgrading to Apache Airflow 3.2.2 or later, where the fix ensures proper masking of nested sensitive keys regardless of field length.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42360. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart