CVE-2026-32690: CWE-668: Exposure of Resource to Wrong Sphere in Apache Software Foundation Apache Airflow
Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented
AI Analysis
Technical Summary
CVE-2026-32690 is a vulnerability in Apache Airflow 3.0.0 where secrets stored as nested fields in JSON dictionary variables are not masked properly upon retrieval, leading to exposure of sensitive information. This is categorized under CWE-668 (Exposure of Resource to Wrong Sphere). The vulnerability affects only those who store sensitive data in JSON variables. Apache Airflow 3.2.0 includes a fix that properly redacts these secrets.
Potential Impact
Sensitive information stored as nested fields in JSON dictionary variables may be exposed to users retrieving these variables, potentially leading to unauthorized disclosure of secrets. The impact is limited to configurations where sensitive data is stored in JSON form within variables.
Mitigation Recommendations
Upgrade to Apache Airflow version 3.2.0 or later, which includes a fix for this vulnerability. If you do not store sensitive values in JSON variables, you are not affected and no immediate action is required. Patch status is not explicitly stated but the vendor recommends upgrading to 3.2.0 for remediation.
CVE-2026-32690: CWE-668: Exposure of Resource to Wrong Sphere in Apache Software Foundation Apache Airflow
Description
Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-32690 is a vulnerability in Apache Airflow 3.0.0 where secrets stored as nested fields in JSON dictionary variables are not masked properly upon retrieval, leading to exposure of sensitive information. This is categorized under CWE-668 (Exposure of Resource to Wrong Sphere). The vulnerability affects only those who store sensitive data in JSON variables. Apache Airflow 3.2.0 includes a fix that properly redacts these secrets.
Potential Impact
Sensitive information stored as nested fields in JSON dictionary variables may be exposed to users retrieving these variables, potentially leading to unauthorized disclosure of secrets. The impact is limited to configurations where sensitive data is stored in JSON form within variables.
Mitigation Recommendations
Upgrade to Apache Airflow version 3.2.0 or later, which includes a fix for this vulnerability. If you do not store sensitive values in JSON variables, you are not affected and no immediate action is required. Patch status is not explicitly stated but the vendor recommends upgrading to 3.2.0 for remediation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-03-13T10:53:28.309Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e32a52bdfbbecc59fc2b91
Added to database: 4/18/2026, 6:53:06 AM
Last enriched: 4/18/2026, 7:08:05 AM
Last updated: 4/20/2026, 9:05:29 AM
Views: 36
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.