Vulnerability in Apache Software Foundation Airflow

CVE-2026-32690

Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSO…

EPSS: 0.001 (29.2th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Airflow — versions 3.0.0

Weakness classification (CWE)

CWE-668 — Exposure of Resource to Wrong Sphere

References

github.com/apache/airflow/pull/63480 (patch)
lists.apache.org/thread/7rnzxofntcznqxnhsmjvvlvygwph7rn5 (vendor-advisory)