{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32690", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-13T10:53:28.309Z", "datePublished": "2026-04-18T06:22:26.081Z", "dateUpdated": "2026-04-20T16:11:33.956Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://pypi.python.org", "defaultStatus": "unaffected", "packageName": "apache-airflow", "product": "Apache Airflow", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "3.2.0", "status": "affected", "version": "3.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Anh Binh [IA Lab \u2013 FPT University]"}, {"lang": "en", "type": "remediation developer", "value": "Kevin Yang"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked.<br><br>If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented<br><br>"}], "value": "Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked.\n\nIf you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented"}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-668", "description": "CWE-668: Exposure of Resource to Wrong Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-18T06:22:26.081Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/apache/airflow/pull/63480"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/7rnzxofntcznqxnhsmjvvlvygwph7rn5"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1", "x_generator": {"engine": "airflow-s/generate_cve_json.py"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/17/6"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-18T06:29:00.682Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T16:11:00.447056Z", "id": "CVE-2026-32690", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:11:33.956Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/17/6"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-18T06:29:00.682Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32690", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T16:11:00.447056Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:11:27.626Z"}}], "cna": {"title": "Apache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Anh Binh [IA Lab \u2013 FPT University]"}, {"lang": "en", "type": "remediation developer", "value": "Kevin Yang"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Airflow", "versions": [{"status": "affected", "version": "3.0.0", "lessThan": "3.2.0", "versionType": "semver"}], "packageName": "apache-airflow", "collectionURL": "https://pypi.python.org", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/apache/airflow/pull/63480", "tags": ["patch"]}, {"url": "https://lists.apache.org/thread/7rnzxofntcznqxnhsmjvvlvygwph7rn5", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "airflow-s/generate_cve_json.py"}, "descriptions": [{"lang": "en", "value": "Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked.\n\nIf you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented", "supportingMedia": [{"type": "text/html", "value": "Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked.<br><br>If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented<br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-668", "description": "CWE-668: Exposure of Resource to Wrong Sphere"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-18T06:22:26.081Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32690", "state": "PUBLISHED", "dateUpdated": "2026-04-20T16:11:33.956Z", "dateReserved": "2026-03-13T10:53:28.309Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-18T06:22:26.081Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "D8133DE3-F556-42F5-8298-FD4CF40787B6", "versionEndExcluding": "3.2.0", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked.\n\nIf you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented"}], "id": "CVE-2026-32690", "lastModified": "2026-04-21T14:41:08.253", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-18T07:16:10.683", "references": [{"source": "security@apache.org", "tags": ["Issue Tracking"], "url": "https://github.com/apache/airflow/pull/63480"}, {"source": "security@apache.org", "tags": ["Vendor Advisory", "Mailing List"], "url": "https://lists.apache.org/thread/7rnzxofntcznqxnhsmjvvlvygwph7rn5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/04/17/6"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-668"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.2.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache Airflow", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "airflow", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-20T18:43:16.129124+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Airflow to version 3.2.0 or later that includes the redaction fix.", "Avoid storing sensitive values in nested JSON fields within Variables; use flat key/value pairs instead.", "Delete or cleanse existing Variables that contain sensitive data stored as JSON so that they are not exposed during retrieval."], "summary": {"action": "Apply Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "Apache Airflow versions 3.x before 3.2.0 are impacted when variables contain nested secret values in JSON form. Airflow installations that do not store sensitive data this way are not affected. No specific patch level is listed in the CNA data beyond the note that upgrading to 3.2.0 removes the issue.", "description_and_impact": "A flaw in Apache Airflow 3.x allows secrets stored as JSON dictionaries within Variables to bypass the redaction mechanism when the variable is retrieved, exposing nested secret values. The vulnerability stems from the redaction logic limiting its depth to a single level, leaving deeper layers unmasked. This can lead to sensitive credentials being disclosed to any user or process that fetches the variable, undermining confidentiality safeguards.", "risk_and_exploitability": "The vulnerability, classified under CWE-668, has a low confidentiality risk as reflected by its CVSS score of 3.7. Its EPSS score is less than 1%, indicating a very low probability of exploitation, and it is not listed in the CISA KEV catalog. The attack vector likely involves a maliciously or inadvertently privileged user retrieving variables via the Airflow UI or REST API; no network or privilege escalation is required beyond that access level."}}}}, "created": "2026-04-18T09:00:05.714654+00:00", "updated": "2026-04-20T18:45:14.231589+00:00", "vendors": ["apache", "apache$PRODUCT$airflow"]}