In Apache Airflow before 3.3.0, the REST API task-instance detail and list endpoints returned a deferred task's trigger kwargs without masking. When a deferred operator passed a secret (for example a provider API key) into its trigger, any authenticated user with DAG-scoped task-instance read access for that DAG could read that secret in clear text while the task was deferred. Users should upgrade to apache-airflow 3.3.0 or later, which masks sensitive values in trigger kwargs returned by the API.
| Vendor | Product | Versions |
|---|---|---|
| apache software foundation | apache airflow | 0 |
Downstream vendors/products affected by this vulnerability
| Vendor | Product | Source | Confidence |
|---|---|---|---|
| apache | airflow | cert_advisory | 90% |
Updated severity from HIGH to MEDIUM and marked exploit as available.
Updated affected versions to 3.2.x, changed severity to HIGH, and added CVSS estimate of 7.5.
Initial creation