Apache Airflow Config API v3.3+ Fix: Env Override Secret Exposure
CVE-2026-48892 Published on July 7, 2026
Apache Airflow: Config API leaks per-key secrets backend kwargs - masker bypass on synthetic options
The Config API in Apache Airflow surfaced per-key secrets-backend overrides (environment variables like `AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID` and `AIRFLOW__WORKERS__SECRETS_BACKEND_KWARG__SECRET_ID`) as synthetic config options whose option names were not in `sensitive_config_values`, so the masker did not redact them. An authenticated UI/API user with Config read permission could retrieve plaintext secrets-backend credentials (Vault `role_id` / `secret_id`, etc.) from the Config API output. Affects deployments that configure secrets backends via per-key environment overrides. Users are advised to upgrade to `apache-airflow` 3.3.0 or later.
Vulnerability Analysis
CVE-2026-48892 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2026-48892 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2026-48892
Want to know whenever a new CVE is published for Apache AirFlow? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Airflow:- Before 3.3.0 is affected.