Apache Airflow <3.2 Secrets in JSON Variables not redacted
CVE-2026-32690 Published on April 18, 2026

Apache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1
Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-32690 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.


Products Associated with CVE-2026-32690

Want to know whenever a new CVE is published for Apache AirFlow? stack.watch will email you.

Apache AirFlow
 

Affected Versions

Apache Software Foundation Apache Airflow: