CVE-2026-48828

Summary

The Bulk Variables API in Apache Airflow called the redactor without passing the variable's key, so the key-based should_hide_value_for_key check (which triggers on secret-suffixed key names like *_password / *_token / *_secret) could not fire for JSON-decodable variable values. An authenticated UI/API user with bulk Variable read permission could retrieve plaintext values from JSON variables whose key would otherwise trigger redaction. Affects deployments that store sensitive values in JSON-typed Airflow Variables under secret-suffixed key names. Users are advised to upgrade to apache-airflow 3.3.0 or later (the fix landed on main after 3.2.2; no 3.2.x backport).

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Airflow0 < 3.3.0affected

Weaknesses

  • CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References