CVE-2026-30912 PUBLISHED

Apache Airflow: Exposing stack trace in case of constraint error

Assigner: apache
Reserved: 07.03.2026 Published: 18.04.2026 Updated: 18.04.2026

In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.

Product Status

Vendor	Apache Software Foundation
Product	Apache Airflow
Versions	Default: unaffected affected from 0 to 3.2.0 (excl.)

Credits

Masamune - Unit515 OPSWAT finder
Jason(Zhe-You) Liu remediation developer

References

https://github.com/apache/airflow/pull/63028
https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5x80w8r9

Problem Types

CWE-668: Exposure of Resource to Wrong Sphere CWE