SQL Error Stack Trace Exposed in Apache Airflow API (pre-3.2.0)
CVE-2026-30912 Published on April 18, 2026

Apache Airflow: Exposing stack trace in case of constraint error
In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-30912 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.


Products Associated with CVE-2026-30912

Want to know whenever a new CVE is published for Apache AirFlow? stack.watch will email you.

Apache AirFlow
 

Affected Versions

Apache Software Foundation Apache Airflow: