Apache Airflow Config API v3.3+ Fix: Env Override Secret Exposure
CVE-2026-48892 Published on July 7, 2026

Apache Airflow: Config API leaks per-key secrets backend kwargs - masker bypass on synthetic options
The Config API in Apache Airflow surfaced per-key secrets-backend overrides (environment variables like `AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID` and `AIRFLOW__WORKERS__SECRETS_BACKEND_KWARG__SECRET_ID`) as synthetic config options whose option names were not in `sensitive_config_values`, so the masker did not redact them. An authenticated UI/API user with Config read permission could retrieve plaintext secrets-backend credentials (Vault `role_id` / `secret_id`, etc.) from the Config API output. Affects deployments that configure secrets backends via per-key environment overrides. Users are advised to upgrade to `apache-airflow` 3.3.0 or later.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-48892 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2026-48892 has been classified to as an Information Disclosure vulnerability or weakness.


Products Associated with CVE-2026-48892

Want to know whenever a new CVE is published for Apache AirFlow? stack.watch will email you.

 

Affected Versions

Apache Software Foundation Apache Airflow: