Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3087 articles · 172021 vulns · 37/41 feeds (7d)
← Back to list
7.5
CVE-2026-49487EXPLOITEDPATCHED
apache software foundation · apache airflow

Apache Airflow: Task-instance API exposes secrets in deferred trigger kwargs

Description

In Apache Airflow before 3.3.0, the REST API task-instance detail and list endpoints returned a deferred task's trigger kwargs without masking. When a deferred operator passed a secret (for example a provider API key) into its trigger, any authenticated user with DAG-scoped task-instance read access for that DAG could read that secret in clear text while the task was deferred. Users should upgrade to apache-airflow 3.3.0 or later, which masks sensitive values in trigger kwargs returned by the API.

Affected Products

VendorProductVersions
apache software foundationapache airflow0

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
apacheairflowcert_advisory90%

References

  • https://github.com/apache/airflow/pull/67868(patch)
  • https://lists.apache.org/thread/qlw6pozlzlfhkvmbgqsbjlq6vj4v0pc4(vendor-advisory)

Related News (3 articles)

Tier B
BSI Advisories9h ago
[NEU] [mittel] Apache Airflow: Mehrere Schwachstellen
→ No new info (linked only)
Tier C
oss-security9h ago
CVE-2026-49487: Apache Airflow: Task-instance API exposes secrets in deferred trigger kwargs
→ No new info (linked only)
Tier C
VulDB10h ago
CVE-2026-49487 | Apache Airflow up to 3.2.x REST API information disclosure
→ No new info (linked only)
CVSS 3.17.5 NONE
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
3.3.0
CWECWE-200
PublishedJul 7, 2026
Last enriched9h agov3
Tags
information disclosure
Trending Score53
Source articles3
Independent3
Info Completeness10/14
Missing: epss, kev, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-33264EXP
Apache Airflow: DAG author RCE on webserver via unrestricted import_string() in BaseSerialization.deserialize()
Trending: 77
MEDIUMCVE-2026-48892EXP
Apache Airflow: Config API leaks per-key secrets backend kwargs - masker bypass on synthetic options
Trending: 56
MEDIUMCVE-2026-48828EXP
Apache Airflow: Bulk JSON Variables bypass should_hide_value_for_key - redact() called without the key
Trending: 56
MEDIUMCVE-2026-48891EXP
Apache Airflow: /ui/dependencies scheduling graph leaks unreadable Dag identifiers via trigger/sensor dep.source/dep.target
Trending: 52
CRITICALCVE-2026-53913
Apache Camel Keycloak: KeycloakSecurityPolicy verifies the bearer access token only inside its role and permission checks, so in the default configuration the token is never verified and any non-null bearer value is accepted
Trending: 44

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 7, 2026
Discovered by ZDM
Jul 7, 2026
Updated: affectedVersions, severity, cvssEstimate, activelyExploited, tags
Jul 7, 2026
Updated: severity, exploitAvailable
Jul 7, 2026
Actively Exploited
Jul 7, 2026
Exploit Available
Jul 7, 2026
Patch Available
Jul 7, 2026

Version History

v3
Last enriched 9h ago
v3Tier C9h ago

Updated severity from HIGH to MEDIUM and marked exploit as available.

severityexploitAvailable
via oss-security
v2Tier C10h ago

Updated affected versions to 3.2.x, changed severity to HIGH, and added CVSS estimate of 7.5.

affectedVersionsseveritycvssEstimateactivelyExploitedtags
via VulDB
v110h ago

Initial creation