CVE-2026-48828
Received Received - Intake

Information Disclosure in Apache Airflow Bulk Variables API

Vulnerability report for CVE-2026-48828, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: Apache Software Foundation

Description

The Bulk Variables API in Apache Airflow called the redactor without passing the variable's key, so the key-based `should_hide_value_for_key` check (which triggers on secret-suffixed key names like `*_password` / `*_token` / `*_secret`) could not fire for JSON-decodable variable values. An authenticated UI/API user with bulk Variable read permission could retrieve plaintext values from JSON variables whose key would otherwise trigger redaction. Affects deployments that store sensitive values in JSON-typed Airflow Variables under secret-suffixed key names. Users are advised to upgrade to `apache-airflow` 3.3.0 or later (the fix landed on `main` after 3.2.2; no 3.2.x backport).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apache airflow From 3.3.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in Apache Airflow's Bulk Variables API occurs because the redaction process does not receive the variable's key when handling JSON-encoded variable values. This omission prevents the key-based check that identifies sensitive keys (such as those ending with _password, _token, or _secret) from triggering. As a result, sensitive data stored as JSON in Airflow Variables can be exposed in plaintext to authenticated users with bulk Variable read permission.

Specifically, while plain string values with sensitive keys are properly masked, JSON values containing sensitive information are not redacted due to a missing argument in the redaction function. This flaw allows sensitive JSON data to be retrieved unmasked via the Airflow REST API.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information stored in Apache Airflow Variables. If you store secrets such as passwords, tokens, or other confidential data in JSON-typed Variables with keys that should trigger redaction, an authenticated user with bulk Variable read permission could retrieve these secrets in plaintext.

Such exposure increases the risk of credential compromise, unauthorized access to systems, and potential data breaches, especially in environments where Airflow is used to manage workflows involving sensitive credentials.

Detection Guidance

This vulnerability can be detected by checking if sensitive JSON-typed Airflow Variables with secret-suffixed keys (such as *_password, *_token, *_secret) are being returned in plaintext via the Airflow REST API endpoint /api/v2/variables.

One way to detect this is to perform an authenticated API call to the /api/v2/variables endpoint and inspect whether JSON variable values that should be redacted are instead returned in cleartext.

For example, you can use a command like the following (replace placeholders accordingly):

  • curl -X GET "http://<airflow-host>/api/v2/variables" -H "Authorization: Bearer <your_token>"

Then, review the output for any JSON variables with keys ending in _password, _token, or _secret that expose sensitive data in plaintext.

Mitigation Strategies

The primary mitigation step is to upgrade Apache Airflow to version 3.3.0 or later, where the redaction logic for JSON-typed Variables has been fixed.

Until the upgrade can be performed, avoid storing sensitive data in JSON-typed Variables with secret-suffixed keys, or restrict access to users with bulk Variable read permissions.

Additionally, review and audit Variable permissions to limit exposure of sensitive information.

Compliance Impact

This vulnerability in Apache Airflow allows authenticated users with bulk Variable read permission to retrieve plaintext sensitive data stored in JSON-typed Variables whose keys would normally trigger redaction. Such exposure of sensitive information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require proper safeguarding and masking of sensitive data.

Specifically, the failure to redact sensitive JSON values such as passwords, tokens, or secrets means that confidential information could be exposed through the API, increasing the risk of unauthorized data disclosure. This undermines the confidentiality and data protection controls mandated by these standards.

Therefore, affected deployments that store sensitive values in JSON-typed Airflow Variables under secret-suffixed key names should upgrade to Apache Airflow 3.3.0 or later to restore proper redaction and maintain compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48828. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart