Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3087 articles · 172021 vulns · 37/41 feeds (7d)
← Back to list
6.5
CVE-2026-48828EXPLOITEDPATCHED
apache software foundation · apache airflow

Apache Airflow: Bulk JSON Variables bypass should_hide_value_for_key - redact() called without the key

Description

The Bulk Variables API in Apache Airflow called the redactor without passing the variable's key, so the key-based `should_hide_value_for_key` check (which triggers on secret-suffixed key names like `*_password` / `*_token` / `*_secret`) could not fire for JSON-decodable variable values. An authenticated UI/API user with bulk Variable read permission could retrieve plaintext values from JSON variables whose key would otherwise trigger redaction. Affects deployments that store sensitive values in JSON-typed Airflow Variables under secret-suffixed key names. Users are advised to upgrade to `apache-airflow` 3.3.0 or later (the fix landed on `main` after 3.2.2; no 3.2.x backport).

Affected Products

VendorProductVersions
apache software foundationapache airflow0

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
apacheairflowcert_advisory90%

References

  • https://github.com/apache/airflow/pull/67495(patch)
  • https://lists.apache.org/thread/y9kf314t6dhnv994hr11wj3tbow847yc(vendor-advisory)

Related News (3 articles)

Tier B
BSI Advisories9h ago
[NEU] [mittel] Apache Airflow: Mehrere Schwachstellen
→ No new info (linked only)
Tier C
oss-security10h ago
CVE-2026-48828: Apache Airflow: Bulk JSON Variables bypass should_hide_value_for_key - redact() called without the key
→ No new info (linked only)
Tier C
VulDB10h ago
CVE-2026-48828 | Apache Airflow up to 3.2.x Bulk Variables API missing encryption
→ No new info (linked only)
CVSS 3.16.5 MEDIUM
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
3.3.0
CWECWE-200
PublishedJul 7, 2026
Last enriched5h agov3
Tags
CVE-2026-48828
Trending Score56
Source articles3
Independent3
Info Completeness9/14
Missing: cvss, epss, kev, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-33264EXP
Apache Airflow: DAG author RCE on webserver via unrestricted import_string() in BaseSerialization.deserialize()
Trending: 77
MEDIUMCVE-2026-48892EXP
Apache Airflow: Config API leaks per-key secrets backend kwargs - masker bypass on synthetic options
Trending: 56
NONECVE-2026-49487EXP
Apache Airflow: Task-instance API exposes secrets in deferred trigger kwargs
Trending: 53
MEDIUMCVE-2026-48891EXP
Apache Airflow: /ui/dependencies scheduling graph leaks unreadable Dag identifiers via trigger/sensor dep.source/dep.target
Trending: 52
CRITICALCVE-2026-53913
Apache Camel Keycloak: KeycloakSecurityPolicy verifies the bearer access token only inside its role and permission checks, so in the default configuration the token is never verified and any non-null bearer value is accepted
Trending: 44

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 7, 2026
Discovered by ZDM
Jul 7, 2026
Updated: description, affectedVersions, severity, cweIds, activelyExploited
Jul 7, 2026
Updated: description, severity, affectedVersions, exploitAvailable, tags
Jul 7, 2026
Actively Exploited
Jul 7, 2026
Exploit Available
Jul 7, 2026
Patch Available
Jul 7, 2026

Version History

v3
Last enriched 5h ago
v3Tier C9h ago

Updated description with technical details, changed severity to MEDIUM, marked exploit as available, and added affected versions and CVE tag.

descriptionseverityaffectedVersionsexploitAvailabletags
via oss-security
v2Tier C10h ago

Updated description with new details about missing encryption, changed affected versions to 3.2.x, updated severity to HIGH, and noted that the exploit is not available.

descriptionaffectedVersionsseveritycweIdsactivelyExploited
via VulDB
v110h ago

Initial creation