CVE-2026-32690

low Apache
CVSS v3 Base Score
3.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score
0.0%
Exploitation probability in 30 days
Top 92% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Confidentiality
Low
Integrity
None
Availability
None
Published: April 18, 2026 (26 days ago)
Last Modified: April 21, 2026
Vendor: Apache
Source: NVD

Description

Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented

CWE

CWE-668

Affected Products

apache airflow

References

🔗 github.com 🔗 lists.apache.org 🔗 www.openwall.com