Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <f4ac6989-8200-3cee-606c-c535052574c4@apache.org>
Date: Tue, 07 Jul 2026 08:31:23 +0000
From: Rahul Vats <rahulvats@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-48892: Apache Airflow: Config API leaks per-key secrets
 backend kwargs - masker bypass on synthetic options 

Severity: moderate 

Affected versions:

- Apache Airflow (apache-airflow) before 3.3.0

Description:

The Config API in Apache Airflow surfaced per-key secrets-backend overrides (environment variables like `AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID` and `AIRFLOW__WORKERS__SECRETS_BACKEND_KWARG__SECRET_ID`) as synthetic config options whose option names were not in `sensitive_config_values`, so the masker did not redact them. An authenticated UI/API user with Config read permission could retrieve plaintext secrets-backend credentials (Vault `role_id` / `secret_id`, etc.) from the Config API output. Affects deployments that configure secrets backends via per-key environment overrides. Users are advised to upgrade to `apache-airflow` 3.3.0 or later.

Credit:

Omkhar Arasaratnam (@omkhar) (finder)
Jarek Potiuk (remediation developer)

References:

https://github.com/apache/airflow/pull/67622
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-48892

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.