The Bulk Variables API in Apache Airflow called the redactor without passing the variable's key, so the key-based `should_hide_value_for_key` check (which triggers on secret-suffixed key names like `*_password` / `*_token` / `*_secret`) could not fire for JSON-decodable variable values. An authenticated UI/API user with bulk Variable read permission could retrieve plaintext values from JSON variables whose key would otherwise trigger redaction. Affects deployments that store sensitive values in JSON-typed Airflow Variables under secret-suffixed key names. Users are advised to upgrade to `apache-airflow` 3.3.0 or later (the fix landed on `main` after 3.2.2; no 3.2.x backport).
| Vendor | Product | Versions |
|---|---|---|
| apache software foundation | apache airflow | 0 |
Downstream vendors/products affected by this vulnerability
| Vendor | Product | Source | Confidence |
|---|---|---|---|
| apache | airflow | cert_advisory | 90% |
Updated description with technical details, changed severity to MEDIUM, marked exploit as available, and added affected versions and CVE tag.
Updated description with new details about missing encryption, changed affected versions to 3.2.x, updated severity to HIGH, and noted that the exploit is not available.
Initial creation