CVE-2026-49487
Description
In Apache Airflow before 3.3.0, the REST API task-instance detail and list
endpoints returned a deferred task's trigger kwargs without masking. When a
deferred operator passed a secret (for example a provider API key) into its
trigger, any authenticated user with DAG-scoped task-instance read access for
that DAG could read that secret in clear text while the task was deferred.
Users should upgrade to apache-airflow 3.3.0 or later, which masks sensitive
values in trigger kwargs returned by the API.
Metadata
Severity & Metrics
No CVSS data available.
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow | — | 0 < 3.3.0 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-200 | cna | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor |
References (2)