|
|
Message-ID: <6a09320d-8df1-3874-5c03-513724b87229@apache.org> Date: Tue, 07 Jul 2026 08:25:46 +0000 From: Rahul Vats <rahulvats@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2026-49487: Apache Airflow: Task-instance API exposes secrets in deferred trigger kwargs Severity: moderate Affected versions: - Apache Airflow (apache-airflow) before 3.3.0 Description: In Apache Airflow before 3.3.0, the REST API task-instance detail and list endpoints returned a deferred task's trigger kwargs without masking. When a deferred operator passed a secret (for example a provider API key) into its trigger, any authenticated user with DAG-scoped task-instance read access for that DAG could read that secret in clear text while the task was deferred. Users should upgrade to apache-airflow 3.3.0 or later, which masks sensitive values in trigger kwargs returned by the API. Credit: Andrew Rukin (Arenadata) (finder) Jarek Potiuk (@potiuk) (remediation developer) References: https://github.com/apache/airflow/pull/67868 https://airflow.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-49487
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.