CVE-2026-32690: CWE-668: Exposure of Resource to Wrong Sphere in Apache Software Foundation Apache Airflow
Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented
AI Analysis
Technical Summary
CVE-2026-32690 describes a low-severity vulnerability in Apache Airflow 3.0.0 where secrets stored within JSON dictionary variables are not masked properly upon retrieval, leading to exposure of sensitive nested fields. This is classified under CWE-668 (Exposure of Resource to Wrong Sphere). The issue affects users who store sensitive data in JSON-formatted variables. The vendor has addressed this issue in Apache Airflow version 3.2.0.
Potential Impact
The vulnerability allows exposure of secrets stored as nested fields in JSON variables when these variables are retrieved by users. The impact is limited to confidentiality (low impact) with no integrity or availability effects. Only users who store sensitive data in JSON variables are at risk. There are no known exploits in the wild.
Mitigation Recommendations
Upgrade to Apache Airflow version 3.2.0 or later, where the issue is fixed. If you do not store sensitive values in JSON-formatted variables, you are not affected. Patch status is not explicitly confirmed in the advisory, but the vendor recommends upgrading to 3.2.0 for the fix.
CVE-2026-32690: CWE-668: Exposure of Resource to Wrong Sphere in Apache Software Foundation Apache Airflow
Description
Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented
CVSS v3.1
Score 3.7low
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-32690 describes a low-severity vulnerability in Apache Airflow 3.0.0 where secrets stored within JSON dictionary variables are not masked properly upon retrieval, leading to exposure of sensitive nested fields. This is classified under CWE-668 (Exposure of Resource to Wrong Sphere). The issue affects users who store sensitive data in JSON-formatted variables. The vendor has addressed this issue in Apache Airflow version 3.2.0.
Potential Impact
The vulnerability allows exposure of secrets stored as nested fields in JSON variables when these variables are retrieved by users. The impact is limited to confidentiality (low impact) with no integrity or availability effects. Only users who store sensitive data in JSON variables are at risk. There are no known exploits in the wild.
Mitigation Recommendations
Upgrade to Apache Airflow version 3.2.0 or later, where the issue is fixed. If you do not store sensitive values in JSON-formatted variables, you are not affected. Patch status is not explicitly confirmed in the advisory, but the vendor recommends upgrading to 3.2.0 for the fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-03-13T10:53:28.309Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e32a52bdfbbecc59fc2b91
Added to database: 4/18/2026, 6:53:06 AM
Last enriched: 4/26/2026, 2:39:24 AM
Last updated: 6/3/2026, 2:26:49 PM
Views: 144
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.