← Back to CVEs
CVE-2026-32690
LOW3.7
Description
Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented
CVE Details
CVSS v3.1 Score3.7
SeverityLOW
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack VectorNETWORK
ComplexityHIGH
Privileges RequiredNONE
User InteractionNONE
Published4/18/2026
Last Modified4/21/2026
Sourcenvd
Honeypot Sightings0
Affected Products
apache:airflow
Weaknesses (CWE)
CWE-668
References
https://github.com/apache/airflow/pull/63480(security@apache.org)
https://lists.apache.org/thread/7rnzxofntcznqxnhsmjvvlvygwph7rn5(security@apache.org)
http://www.openwall.com/lists/oss-security/2026/04/17/6(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.