CVE-2026-48892: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Apache Software Foundation Apache Airflow
Apache Airflow versions prior to 3.3.0 have a vulnerability where certain per-key secrets-backend environment variable overrides are exposed in plaintext via the Config API. These environment variables, such as AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID, are not redacted because their option names are missing from the sensitive_config_values masker list. An authenticated user with Config read permission can retrieve sensitive secrets-backend credentials from the API output. This affects deployments that use per-key environment overrides for secrets backends. Upgrading to Apache Airflow 3.3.0 or later mitigates this issue.
AI Analysis
Technical Summary
The Config API in Apache Airflow versions before 3.3.0 exposes plaintext secrets-backend credentials due to missing redaction of synthetic config options derived from per-key environment variable overrides. Specifically, environment variables like AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID and AIRFLOW__WORKERS__SECRETS_BACKEND_KWARG__SECRET_ID are surfaced as config options but their names are not included in the sensitive_config_values list used by the masker. Consequently, an authenticated UI or API user with Config read permission can access sensitive Vault credentials such as role_id and secret_id in plaintext. This vulnerability affects deployments that configure secrets backends using these per-key environment overrides. The issue is resolved by upgrading to Apache Airflow version 3.3.0 or later.
Potential Impact
An authenticated user with Config read permission can obtain plaintext secrets-backend credentials, including Vault role_id and secret_id, from the Config API output. This exposure of sensitive information could lead to unauthorized access to secrets managed by the backend, potentially compromising the confidentiality of sensitive data managed by Airflow deployments using per-key environment overrides for secrets backends.
Mitigation Recommendations
Upgrade Apache Airflow to version 3.3.0 or later, where this issue is fixed. There is no indication of an official patch or temporary fix other than upgrading. Deployments should avoid using affected versions to prevent exposure of secrets-backend credentials. Patch status is confirmed by the vendor advisory recommending upgrade to 3.3.0 or later.
CVE-2026-48892: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Apache Software Foundation Apache Airflow
Description
Apache Airflow versions prior to 3.3.0 have a vulnerability where certain per-key secrets-backend environment variable overrides are exposed in plaintext via the Config API. These environment variables, such as AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID, are not redacted because their option names are missing from the sensitive_config_values masker list. An authenticated user with Config read permission can retrieve sensitive secrets-backend credentials from the API output. This affects deployments that use per-key environment overrides for secrets backends. Upgrading to Apache Airflow 3.3.0 or later mitigates this issue.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Config API in Apache Airflow versions before 3.3.0 exposes plaintext secrets-backend credentials due to missing redaction of synthetic config options derived from per-key environment variable overrides. Specifically, environment variables like AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID and AIRFLOW__WORKERS__SECRETS_BACKEND_KWARG__SECRET_ID are surfaced as config options but their names are not included in the sensitive_config_values list used by the masker. Consequently, an authenticated UI or API user with Config read permission can access sensitive Vault credentials such as role_id and secret_id in plaintext. This vulnerability affects deployments that configure secrets backends using these per-key environment overrides. The issue is resolved by upgrading to Apache Airflow version 3.3.0 or later.
Potential Impact
An authenticated user with Config read permission can obtain plaintext secrets-backend credentials, including Vault role_id and secret_id, from the Config API output. This exposure of sensitive information could lead to unauthorized access to secrets managed by the backend, potentially compromising the confidentiality of sensitive data managed by Airflow deployments using per-key environment overrides for secrets backends.
Mitigation Recommendations
Upgrade Apache Airflow to version 3.3.0 or later, where this issue is fixed. There is no indication of an official patch or temporary fix other than upgrading. Deployments should avoid using affected versions to prevent exposure of secrets-backend credentials. Patch status is confirmed by the vendor advisory recommending upgrade to 3.3.0 or later.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-05-26T01:39:22.505Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4ccfd027e9c79719609a74
Added to database: 07/07/2026, 10:07:12 UTC
Last enriched: 07/07/2026, 10:22:01 UTC
Last updated: 07/07/2026, 10:22:01 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.