The vulnerability in Apache Airflow's GET /api/v2/connections/{connection_id} endpoint allows an authenticated user with Connection-read permission to retrieve sensitive information from the Connection's extra JSON blob. This occurs because the redaction mechanism does not cover all sensitive field names, exposing secrets such as Slack credentials in plaintext. The issue affects deployments that store credentials in the extra field and grant read access to multiple users. The vendor recommends upgrading to version 3.2.2 or later and suggests storing sensitive credentials in a secret backend as a defense-in-depth measure.

An authenticated user with Connection-read permission can access sensitive credential information that should be protected, potentially leading to unauthorized disclosure of secrets such as API keys or tokens stored in the Connection extra field. This exposure could facilitate further unauthorized actions if the credentials are reused or provide access to other systems. The impact is limited to users who already have Connection-read permission, but the unintended exposure of secrets increases risk within affected environments.

Users should upgrade Apache Airflow to version 3.2.2 or later where this vulnerability is addressed. Additionally, as a defense-in-depth measure, deployment operators are advised to store sensitive credential values in a secret backend rather than embedding them directly in the Connection extra field. No vendor advisory explicitly states that no action is required or that the issue is already mitigated without upgrade, so patching and configuration changes are recommended.