Primary

Context

Apache Airflow Nested Variable Secret Redaction Bypass Vulnerability

Vulnerability

Patched

A vulnerability exists in Apache Airflow versions 3.0.0 prior to 3.2.0, where secrets in variables saved as JSON dictionaries were not properly redacted. When these variables were retrieved by the user, secrets stored in nested fields were not masked. This issue affects users who store sensitive values in JSON format. The vulnerability has been addressed in Apache Airflow 3.2.0.

Impact

Exploitation of this vulnerability could lead to unintended disclosure of sensitive information, as secrets in nested JSON variables were not properly redacted when the variables were accessed.

Remediation

Users are advised to upgrade to Apache Airflow version 3.2.0, which includes the necessary fix. Instructions for upgrading can be found in the Apache Airflow documentation.

Added: Apr 18, 2026, 7:19 AM

Updated: Apr 18, 2026, 7:19 AM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

2.5

exploitability

4.1

remediation

7.7

relevance

6.3

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

2.5

exploitability

4.1

remediation

7.7

relevance

6.3

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Airflow Nested Variable Secret Redaction Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Apache Airflow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating