Apache Airflow <3.2 Secrets in JSON Variables not redacted
CVE-2026-32690 Published on April 18, 2026

Apache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1
Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented

Vendor Advisory NVD

Weakness Type

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Products Associated with CVE-2026-32690

Want to know whenever a new CVE is published for Apache AirFlow? stack.watch will email you.

Apache AirFlow

Affected Versions

Apache Software Foundation Apache Airflow:

Version 3.0.0 and below 3.2.0 is affected.

Apache Airflow <3.2 Secrets in JSON Variables not redactedCVE-2026-32690 Published on April 18, 2026

Weakness Type

Exposure of Resource to Wrong Sphere

Products Associated with CVE-2026-32690

Affected Versions

Apache Airflow <3.2 Secrets in JSON Variables not redacted
CVE-2026-32690 Published on April 18, 2026