CVE-2026-32690
Last modified
CVE-2026-32690 is a low-severity vulnerability rated 3.7/10 on the CVSS scale. Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented. EPSS estimates a 0.42% chance of exploitation in the next 30 days.
Description
Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Airflow | >= 3.0.0, < 3.2.0 |
References
- https://github.com/apache/airflow/pull/63480Issue Tracking
- https://lists.apache.org/thread/7rnzxofntcznqxnhsmjvvlvygwph7rn5Mailing List, Vendor Advisory
- http://www.openwall.com/lists/oss-security/2026/04/17/6Mailing List, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-32690?
How severe is CVE-2026-32690?
How do I fix CVE-2026-32690?
Are you affected by CVE-2026-32690?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST