Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Tue, 07 Jul 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
cvssV3_1
|
Tue, 07 Jul 2026 10:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Config API in Apache Airflow surfaced per-key secrets-backend overrides (environment variables like `AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID` and `AIRFLOW__WORKERS__SECRETS_BACKEND_KWARG__SECRET_ID`) as synthetic config options whose option names were not in `sensitive_config_values`, so the masker did not redact them. An authenticated UI/API user with Config read permission could retrieve plaintext secrets-backend credentials (Vault `role_id` / `secret_id`, etc.) from the Config API output. Affects deployments that configure secrets backends via per-key environment overrides. Users are advised to upgrade to `apache-airflow` 3.3.0 or later. | |
| Title | Apache Airflow: Config API leaks per-key secrets backend kwargs - masker bypass on synthetic options | |
| Weaknesses | CWE-200 | |
| References |
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: apache
Published:
Updated: 2026-07-07T13:23:08.572Z
Reserved: 2026-05-26T01:39:22.505Z
Link: CVE-2026-48892
Updated: 2026-07-07T12:48:08.946Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-07T16:45:03Z