CVE-2026-32690 Overview
CVE-2026-32690 is an Information Disclosure vulnerability in Apache Airflow where secrets stored in Variables as JSON dictionaries were not properly redacted. When users retrieved these variables, secrets stored as nested fields within the JSON structure were not masked, potentially exposing sensitive credential information.
Critical Impact
Sensitive secrets stored in nested JSON dictionary variables could be exposed to users retrieving these variables, potentially leading to credential disclosure.
Affected Products
- Apache Airflow (versions prior to 3.2.0)
Discovery Timeline
- 2026-04-18 - CVE CVE-2026-32690 published to NVD
- 2026-04-21 - Last updated in NVD database
Technical Details for CVE-2026-32690
Vulnerability Analysis
This vulnerability falls under CWE-668 (Exposure of Resource to Wrong Sphere), where the Airflow platform's variable redaction mechanism failed to properly handle nested JSON structures. The redaction system was designed to mask sensitive values stored in variables, but did not recursively traverse JSON dictionaries to identify and redact secrets stored at deeper nesting levels.
When administrators store sensitive configuration data such as API keys, database credentials, or authentication tokens in Airflow Variables using JSON dictionary format, the system should automatically mask these values when displayed or retrieved through the UI or API. However, due to insufficient handling of nested JSON structures, secrets embedded within child objects or arrays remained visible in plaintext.
The vulnerability requires specific conditions to be exploited: users must store sensitive values in JSON dictionary format within Airflow Variables, and an attacker would need access to retrieve these variables. Organizations that do not store variables with sensitive values in JSON form are not affected.
Root Cause
The root cause lies in the variable redaction logic not performing recursive traversal of JSON dictionary structures. When secrets are stored as top-level key-value pairs, the masking mechanism functions correctly. However, when secrets are nested within child objects or arrays inside the JSON structure, the redaction function does not descend into these nested levels, leaving the sensitive values exposed.
Attack Vector
The attack vector is network-based, requiring authenticated access to the Airflow environment. An attacker with permissions to view or retrieve Variables through the Airflow web UI or REST API could access improperly redacted JSON dictionary variables. The exploitation requires no user interaction and can be performed remotely, though the attack complexity is considered high as it depends on specific variable storage configurations being present.
The vulnerability mechanism involves the following scenario: when a Variable containing a JSON dictionary like {"database": {"password": "secret123"}} is retrieved, the outer level may be processed for redaction, but the nested password field within the database object would remain unmasked, exposing the credential value.
Detection Methods for CVE-2026-32690
Indicators of Compromise
- Unusual or unauthorized access to the Airflow Variables retrieval endpoints
- API calls attempting to enumerate or retrieve multiple Variables in rapid succession
- Access logs showing Variable retrieval from unexpected user accounts or IP addresses
Detection Strategies
- Monitor Airflow audit logs for Variable access patterns, particularly focusing on JSON-formatted variables
- Implement alerting on bulk Variable retrieval operations
- Review access control configurations to ensure Variable read permissions are appropriately restricted
Monitoring Recommendations
- Enable detailed audit logging for all Variable operations in Apache Airflow
- Implement network monitoring for unusual access patterns to the Airflow web interface and API endpoints
- Conduct periodic reviews of Variables containing JSON content to identify potentially exposed secrets
How to Mitigate CVE-2026-32690
Immediate Actions Required
- Upgrade Apache Airflow to version 3.2.0 or later, which contains the fix for this vulnerability
- Audit existing Variables for sensitive data stored in JSON dictionary format
- Rotate any credentials or secrets that may have been stored in nested JSON Variables
Patch Information
Apache has released the fix in Apache Airflow version 3.2.0. The patch addresses the improper redaction of nested JSON dictionary fields, ensuring secrets stored at any nesting level are properly masked. Technical details of the fix can be found in the GitHub Pull Request #63480. Additional information is available in the Apache Mailing List Thread and the Openwall OSS Security Update.
Workarounds
- Avoid storing sensitive values in JSON dictionary format within Airflow Variables until the upgrade is completed
- Move secrets from Variables to dedicated secrets backends such as HashiCorp Vault, AWS Secrets Manager, or Google Cloud Secret Manager
- Implement additional access controls to limit which users can retrieve Variables containing sensitive configuration data
# Upgrade Apache Airflow to patched version
pip install --upgrade apache-airflow==3.2.0
# Alternatively, use constraints file for controlled upgrade
pip install apache-airflow==3.2.0 --constraint "https://raw.githubusercontent.com/apache/airflow/constraints-3.2.0/constraints.txt"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
