Severity: moderate 

Affected versions:

- Apache Airflow (apache-airflow) before 3.3.0

Description:

In Apache Airflow before 3.3.0, the REST API task-instance detail and list
endpoints returned a deferred task's trigger kwargs without masking. When a
deferred operator passed a secret (for example a provider API key) into its
trigger, any authenticated user with DAG-scoped task-instance read access for
that DAG could read that secret in clear text while the task was deferred.
Users should upgrade to apache-airflow 3.3.0 or later, which masks sensitive
values in trigger kwargs returned by the API.

Credit:

Andrew Rukin (Arenadata) (finder)
Jarek Potiuk (@potiuk) (remediation developer)

References:

https://github.com/apache/airflow/pull/67868
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-49487

Reply via email to