CVE-2026-48828 PUBLISHED

Apache Airflow: Bulk JSON Variables bypass should_hide_value_for_key - redact() called without the key

Assigner: apache
Reserved: 23.05.2026 Published: 07.07.2026 Updated: 07.07.2026

The Bulk Variables API in Apache Airflow called the redactor without passing the variable's key, so the key-based should_hide_value_for_key check (which triggers on secret-suffixed key names like *_password / *_token / *_secret) could not fire for JSON-decodable variable values. An authenticated UI/API user with bulk Variable read permission could retrieve plaintext values from JSON variables whose key would otherwise trigger redaction. Affects deployments that store sensitive values in JSON-typed Airflow Variables under secret-suffixed key names. Users are advised to upgrade to apache-airflow 3.3.0 or later (the fix landed on main after 3.2.2; no 3.2.x backport).

Product Status

Vendor Apache Software Foundation
Product Apache Airflow
Versions Default: unaffected
  • affected from 0 to 3.3.0 (excl.)

Credits

  • Omkhar Arasaratnam (@omkhar) finder
  • Shubham Raj (@shubhamraj-git) remediation developer

References

Problem Types

  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE