CVE-2026-42360: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Apache Software Foundation Apache Airflow
A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. nested `password` / `token` / `secret` / `api_key` keys inside a JSON template structure) to be bypassed when the rendered field exceeded `[core] max_templated_field_length`: Airflow stringified the structure before redaction, losing the nested key context, and persisted the plaintext value into `rendered_fields`. An authenticated UI/API user with permission to read rendered template fields could harvest secret values intended to be masked. Affects deployments where Dag authors pass structured JSON to operators with nested sensitive keys. This is a variant of `CWE-200` previously addressed for the user-registered `mask_secret()` patterns in CVE-2025-68438; that fix did not cover the nested sensitive-keyword allowlist. Users who already upgraded for CVE-2025-68438 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the nested-key path.
AI Analysis
Technical Summary
Apache Airflow has a vulnerability (CVE-2026-42360) involving the exposure of sensitive information due to improper masking of nested sensitive keys in rendered JSON template fields. When the rendered field length exceeds the max_templated_field_length setting, Airflow converts the JSON structure to a string before applying redaction, which causes nested sensitive keys to be missed and their plaintext values to be persisted in rendered_fields. Authenticated users with read access to rendered template fields can retrieve these secrets. This vulnerability is related to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and is a variant of a previously fixed issue (CVE-2025-68438) that did not cover nested keys. Users who upgraded for CVE-2025-68438 must also upgrade to Apache Airflow 3.2.2 or later to address this nested key masking bypass.
Potential Impact
The vulnerability allows authenticated users with permission to read rendered template fields in Apache Airflow to access sensitive information such as passwords, tokens, secrets, or API keys that should have been masked. This exposure occurs when nested sensitive keys inside JSON templates are not properly redacted due to the rendered field length exceeding a configured threshold. The impact is unauthorized disclosure of secrets within Airflow deployments that use structured JSON with nested sensitive keys.
Mitigation Recommendations
Users should upgrade Apache Airflow to version 3.2.2 or later to fully address this vulnerability. This upgrade complements the previous fix for CVE-2025-68438 by covering nested sensitive-key masking. No other mitigation or temporary workaround is indicated in the available data. Patch status is not explicitly confirmed in vendor advisories, so users should verify the upgrade guidance with official Apache Airflow release notes.
CVE-2026-42360: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Apache Software Foundation Apache Airflow
Description
A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. nested `password` / `token` / `secret` / `api_key` keys inside a JSON template structure) to be bypassed when the rendered field exceeded `[core] max_templated_field_length`: Airflow stringified the structure before redaction, losing the nested key context, and persisted the plaintext value into `rendered_fields`. An authenticated UI/API user with permission to read rendered template fields could harvest secret values intended to be masked. Affects deployments where Dag authors pass structured JSON to operators with nested sensitive keys. This is a variant of `CWE-200` previously addressed for the user-registered `mask_secret()` patterns in CVE-2025-68438; that fix did not cover the nested sensitive-keyword allowlist. Users who already upgraded for CVE-2025-68438 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the nested-key path.
CVSS v3.1
Score 6.5medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Apache Airflow has a vulnerability (CVE-2026-42360) involving the exposure of sensitive information due to improper masking of nested sensitive keys in rendered JSON template fields. When the rendered field length exceeds the max_templated_field_length setting, Airflow converts the JSON structure to a string before applying redaction, which causes nested sensitive keys to be missed and their plaintext values to be persisted in rendered_fields. Authenticated users with read access to rendered template fields can retrieve these secrets. This vulnerability is related to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and is a variant of a previously fixed issue (CVE-2025-68438) that did not cover nested keys. Users who upgraded for CVE-2025-68438 must also upgrade to Apache Airflow 3.2.2 or later to address this nested key masking bypass.
Potential Impact
The vulnerability allows authenticated users with permission to read rendered template fields in Apache Airflow to access sensitive information such as passwords, tokens, secrets, or API keys that should have been masked. This exposure occurs when nested sensitive keys inside JSON templates are not properly redacted due to the rendered field length exceeding a configured threshold. The impact is unauthorized disclosure of secrets within Airflow deployments that use structured JSON with nested sensitive keys.
Mitigation Recommendations
Users should upgrade Apache Airflow to version 3.2.2 or later to fully address this vulnerability. This upgrade complements the previous fix for CVE-2025-68438 by covering nested sensitive-key masking. No other mitigation or temporary workaround is indicated in the available data. Patch status is not explicitly confirmed in vendor advisories, so users should verify the upgrade guidance with official Apache Airflow release notes.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-04-26T19:48:31.553Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1d4e75e29bf47b50cd49fa
Added to database: 6/1/2026, 9:18:45 AM
Last enriched: 6/1/2026, 9:35:54 AM
Last updated: 6/2/2026, 5:06:07 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.