CVE-2026-42360
Authentication Bypass in Apache Airflow via Nested Secret Masking
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | airflow | From 3.2.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Apache Airflow occurs because the system converts structured JSON data containing nested sensitive keys (like password, token, secret, api_key) into a string before applying redaction. When the rendered template field exceeds a configured maximum length, this stringification causes the loss of context needed to mask these nested sensitive keys properly.
As a result, sensitive information inside nested structures can be exposed in plaintext in the rendered_fields, allowing authenticated users with permission to read these fields to access secrets that should have been masked.
The issue is a variant of CWE-200 (Information Exposure) and affects deployments where DAG authors pass structured JSON with nested sensitive keys to operators. The fix involves applying redaction to the structured data before converting it to a string, preserving the masking of nested sensitive keys even when the field is oversized.
How can this vulnerability impact me? :
This vulnerability can lead to the exposure of sensitive information such as passwords, tokens, secrets, and API keys within Apache Airflow's rendered template fields.
An authenticated user with permission to read rendered template fields could harvest these secret values that were intended to be masked, potentially leading to unauthorized access or misuse of sensitive credentials.
This exposure increases the risk of security breaches, data leaks, and compromise of systems or services that rely on these secrets.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the exposure of sensitive information in Apache Airflow's rendered template fields when nested sensitive keys exceed the configured maximum length limit. Detection involves checking if any rendered template fields contain unmasked sensitive data such as passwords, tokens, secrets, or API keys.
Since the issue arises when rendered fields exceed the [core] max_templated_field_length and the nested sensitive keys are not properly masked, you can audit Airflow's metadata database or logs for rendered_fields entries containing plaintext sensitive values.
Specific commands are not provided in the available resources, but a general approach could include querying the Airflow metadata database for rendered template fields containing common sensitive keywords in plaintext, for example using SQL queries or scripts to search for patterns like 'password', 'token', 'secret', or 'api_key' in the rendered_fields column.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Apache Airflow to version 3.2.2 or later, which includes the fix for this vulnerability.
This update modifies the serialization process to apply redaction to structured data before stringification, preserving nested-key context and ensuring sensitive information is properly masked even when the rendered field exceeds the maximum length.
Additionally, ensure that only authenticated users with appropriate permissions can access rendered template fields in the UI or API to reduce the risk of unauthorized secret harvesting.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in Apache Airflow allows nested sensitive information such as passwords, tokens, secrets, and API keys to be exposed in rendered template fields when those fields exceed a configured maximum length. Because sensitive data intended to be masked can be persisted in plaintext and accessed by authenticated users with permission to read rendered template fields, this could lead to unauthorized disclosure of confidential information.
Exposure of such sensitive data can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require proper handling and protection of sensitive information to prevent unauthorized access and data breaches.
Therefore, organizations using affected versions of Apache Airflow may face increased risk of non-compliance with these regulations if the vulnerability is not addressed by upgrading to Apache Airflow 3.2.2 or later, where the fix ensures proper masking of nested sensitive keys regardless of field length.