CVE-2026-48892
Received Received - Intake

Secrets-Backend Credentials Exposure in Apache Airflow Config API

Vulnerability report for CVE-2026-48892, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: Apache Software Foundation

Description

The Config API in Apache Airflow surfaced per-key secrets-backend overrides (environment variables like `AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID` and `AIRFLOW__WORKERS__SECRETS_BACKEND_KWARG__SECRET_ID`) as synthetic config options whose option names were not in `sensitive_config_values`, so the masker did not redact them. An authenticated UI/API user with Config read permission could retrieve plaintext secrets-backend credentials (Vault `role_id` / `secret_id`, etc.) from the Config API output. Affects deployments that configure secrets backends via per-key environment overrides. Users are advised to upgrade to `apache-airflow` 3.3.0 or later.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
apache airflow From 3.3.0 (inc)
apache airflow to 3.2.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Apache Airflow involves the Config API exposing sensitive secrets-backend credentials in plaintext. Specifically, environment variables used for per-key secrets-backend overrides, such as AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID and AIRFLOW__WORKERS__SECRETS_BACKEND_KWARG__SECRET_ID, were not properly masked because their option names were not included in the list of sensitive configuration values. As a result, an authenticated user with Config read permission could retrieve these secret credentials from the API output.

Impact Analysis

The impact of this vulnerability is that an authenticated user with permission to read configuration via the UI or API could access plaintext secrets-backend credentials. This exposure could lead to unauthorized access to secret management systems like Vault, potentially allowing attackers to escalate privileges, access sensitive data, or compromise the security of the Airflow deployment.

Detection Guidance

This vulnerability involves the exposure of plaintext secrets-backend credentials through the Apache Airflow Config API when per-key environment variable overrides are used. Detection involves checking if the Config API responses include unmasked sensitive environment variables such as AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID or AIRFLOW__WORKERS__SECRETS_BACKEND_KWARG__SECRET_ID.

You can detect this by querying the Config API endpoints (e.g., GET /config or GET /config/section/{section}/option/{option}) as an authenticated user with Config read permission and inspecting the output for any plaintext secrets-backend credentials.

No specific commands are provided in the available resources, but a typical approach would be to use curl or similar HTTP clients to request the configuration API endpoints and grep or search the output for the sensitive environment variable patterns.

  • Example command to check the config API output: curl -u <user>:<password> http://<airflow-host>/api/v1/config | grep SECRET_ID
Mitigation Strategies

The primary mitigation step is to upgrade Apache Airflow to version 3.3.0 or later, where this vulnerability has been fixed by properly masking the sensitive per-key environment variable overrides in the Config API responses.

If upgrading immediately is not possible, restrict Config API access to only trusted and authenticated users with minimal permissions, especially limiting Config read permission to prevent unauthorized retrieval of secrets.

Review and audit environment variable usage for secrets backend configuration to minimize exposure and consider alternative secret management approaches that do not rely on per-key environment variable overrides.

Compliance Impact

This vulnerability allows an authenticated user with Config read permission to retrieve plaintext secrets-backend credentials from the Config API output. Such exposure of sensitive credentials could lead to unauthorized access to protected data or systems.

Exposure of sensitive secrets and credentials in plaintext may violate data protection and security requirements outlined in common standards and regulations such as GDPR and HIPAA, which mandate proper protection and confidentiality of sensitive information.

Therefore, deployments affected by this vulnerability may face compliance risks if the exposed secrets lead to unauthorized data access or breaches.

Users are advised to upgrade to Apache Airflow 3.3.0 or later, where the issue is fixed by properly masking these sensitive configuration values.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48892. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart