Apache Airflow versions prior to 3.2.0 improperly expose exception and stack trace details in API responses when SQL errors occur, despite the "api/expose_stack_traces" setting being false. This behavior constitutes an exposure of resources to the wrong sphere (CWE-668), potentially leaking sensitive information that could aid an attacker. The vulnerability has a CVSS 3.1 base score of 7.5, indicating high severity, with network attack vector, low attack complexity, no privileges or user interaction required, and high confidentiality impact but no integrity or availability impact. The vendor recommends upgrading to version 3.2.0 where this issue is fixed.

The vulnerability allows unauthorized users to obtain detailed SQL error stack traces from the Airflow API, potentially revealing sensitive internal information such as database schema details or application logic. This information disclosure can aid attackers in crafting further attacks. There is no direct impact on data integrity or availability. No known exploits in the wild have been reported.

Users should upgrade Apache Airflow to version 3.2.0 or later, where this vulnerability is fixed. No other official remediation or temporary workaround is documented. Patch status is not explicitly stated but the vendor advisory recommends upgrading, indicating an official fix is available in version 3.2.0.