Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3087 articles · 172021 vulns · 37/41 feeds (7d)
← Back to list
6.5
CVE-2026-48892EXPLOITEDPATCHED
apache software foundation · apache airflow

Apache Airflow: Config API leaks per-key secrets backend kwargs - masker bypass on synthetic options

Description

The Config API in Apache Airflow surfaced per-key secrets-backend overrides (environment variables like `AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID` and `AIRFLOW__WORKERS__SECRETS_BACKEND_KWARG__SECRET_ID`) as synthetic config options whose option names were not in `sensitive_config_values`, so the masker did not redact them. An authenticated UI/API user with Config read permission could retrieve plaintext secrets-backend credentials (Vault `role_id` / `secret_id`, etc.) from the Config API output. Affects deployments that configure secrets backends via per-key environment overrides. Users are advised to upgrade to `apache-airflow` 3.3.0 or later.

Affected Products

VendorProductVersions
apache software foundationapache airflow0

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
apacheairflowcert_advisory90%

References

  • https://github.com/apache/airflow/pull/67622(patch)
  • https://lists.apache.org/thread/pq5yy40079h6tzh3fxvw28dd8dbk72hk(vendor-advisory)

Related News (3 articles)

Tier B
BSI Advisories9h ago
[NEU] [mittel] Apache Airflow: Mehrere Schwachstellen
→ No new info (linked only)
Tier C
oss-security9h ago
CVE-2026-48892: Apache Airflow: Config API leaks per-key secrets backend kwargs - masker bypass on synthetic options
→ No new info (linked only)
Tier C
VulDB10h ago
CVE-2026-48892 | Apache Airflow up to 3.2.x Config API missing encryption
→ No new info (linked only)
CVSS 3.16.5 MEDIUM
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
3.3.0
CWECWE-200
PublishedJul 7, 2026
Last enriched5h agov3
Trending Score56
Source articles3
Independent3
Info Completeness8/14
Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-33264EXP
Apache Airflow: DAG author RCE on webserver via unrestricted import_string() in BaseSerialization.deserialize()
Trending: 77
MEDIUMCVE-2026-48828EXP
Apache Airflow: Bulk JSON Variables bypass should_hide_value_for_key - redact() called without the key
Trending: 56
NONECVE-2026-49487EXP
Apache Airflow: Task-instance API exposes secrets in deferred trigger kwargs
Trending: 53
MEDIUMCVE-2026-48891EXP
Apache Airflow: /ui/dependencies scheduling graph leaks unreadable Dag identifiers via trigger/sensor dep.source/dep.target
Trending: 52
CRITICALCVE-2026-53913
Apache Camel Keycloak: KeycloakSecurityPolicy verifies the bearer access token only inside its role and permission checks, so in the default configuration the token is never verified and any non-null bearer value is accepted
Trending: 44

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 7, 2026
Discovered by ZDM
Jul 7, 2026
Updated: affectedVersions, severity, activelyExploited
Jul 7, 2026
Updated: severity
Jul 7, 2026
Actively Exploited
Jul 7, 2026
Patch Available
Jul 7, 2026

Version History

v3
Last enriched 5h ago
v3Tier C9h ago

Updated severity from HIGH to MEDIUM and set patchAvailable to null.

severity
via oss-security
v2Tier C10h ago

Updated affected versions to include 3.2.x, changed severity to HIGH, and noted that no exploit is available.

affectedVersionsseverityactivelyExploited
via VulDB
v110h ago

Initial creation