CVE-2026-42358 Overview
CVE-2026-42358 is an information disclosure flaw in Apache Airflow's Variable response masker. The masker redacts values stored under secret-suffixed key names such as password, token, secret, and api_key. When a JSON Variable's nesting depth exceeds the shared secrets masker's recursion cap, the masker returns the original nested item before evaluating the sensitive key name. An authenticated user holding Variable read permission can retrieve plaintext secrets stored deep within nested JSON structures. The issue is a residual gap in the fix for CVE-2026-32690, which addressed shallower nesting through max_depth=1 but left the depth boundary unchanged.
Critical Impact
Authenticated users with Variable read access can exfiltrate plaintext credentials stored under sensitive keys inside deeply-nested JSON Airflow Variables.
Affected Products
- Apache Airflow versions prior to 3.2.2
- Deployments that store sensitive values inside deeply-nested JSON Variables
- Installations previously patched only for CVE-2026-32690
Discovery Timeline
- 2026-06-01 - CVE-2026-42358 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-42358
Vulnerability Analysis
Apache Airflow exposes user-defined Variables through its UI and REST API. To prevent accidental disclosure of secrets stored as Variables, Airflow runs response payloads through a secrets masker. The masker walks JSON structures recursively and redacts any value whose key name matches a sensitive suffix pattern such as password, token, secret, or api_key.
The masker enforces a recursion max_depth cap to bound traversal cost. When recursion reaches the cap, the masker returns the current item unchanged. The defect lies in ordering: the early-return on depth exhaustion executes before the sensitive-key check. Any matching key located beyond the depth boundary therefore yields its raw value in the response.
This is the same key-name bypass pattern previously addressed in CVE-2026-32690. That fix tightened handling at shallow depths but did not raise the depth-limit boundary itself, leaving the deep-nesting code path exploitable. The flaw is classified under [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor.
Root Cause
The ordering bug in the shared secrets masker returns nested items based on depth before applying the sensitive-key redaction rule. Secrets nested below the recursion threshold are emitted verbatim in API and UI responses.
Attack Vector
Exploitation requires authenticated access with Variable read permission. The attacker queries a Variable whose JSON value nests sensitive keys deeper than the masker's recursion limit, then reads the unredacted secret directly from the API response. No special tooling is required beyond standard Airflow API clients.
The vulnerability is described in prose only; see the Apache Airflow Pull Request 65912 for the patch implementation details.
Detection Methods for CVE-2026-42358
Indicators of Compromise
- Unusual volume of GET /api/v1/variables/{key} or GET /api/v2/variables/{key} requests from a single authenticated principal.
- API responses that contain plaintext values under keys named password, token, secret, or api_key instead of the masked placeholder.
- Variable enumeration patterns where a user iterates through many Variable keys in a short window.
Detection Strategies
- Inspect Airflow webserver and API access logs for Variable read calls correlated with users who do not normally interact with Variables.
- Audit stored Variable JSON payloads for nesting depths that exceed the masker's recursion cap and flag those containing sensitive key names.
- Compare Variable response bodies against expected redaction output to detect masker bypass behavior.
Monitoring Recommendations
- Enable Airflow audit logging and forward webserver, scheduler, and API logs to a centralized analytics platform.
- Alert on bursts of Variable API calls and on responses containing strings that resemble credentials, tokens, or private keys.
- Track downstream use of Variable values in DAG runs to detect secret misuse following a suspected harvest.
How to Mitigate CVE-2026-42358
Immediate Actions Required
- Upgrade Apache Airflow to version 3.2.2 or later, even if the previous fix for CVE-2026-32690 was already applied.
- Rotate any credentials, tokens, or API keys that were ever stored inside JSON Variables, particularly under sensitive key names.
- Review Variable read permissions and revoke them from roles that do not require Variable access.
Patch Information
The fix is delivered in apache-airflow 3.2.2. The corrective change adjusts the secrets masker so that the sensitive-key check runs before the depth-exhaustion early return, ensuring redaction applies at any nesting depth. Patch details are available in the Apache Airflow Pull Request 65912 and the Apache Airflow Security Mailing List.
Workarounds
- Migrate secrets out of Airflow Variables and into a dedicated secrets backend such as HashiCorp Vault, AWS Secrets Manager, or GCP Secret Manager.
- Flatten JSON Variable structures so that sensitive keys appear at shallow depths covered by the existing masker logic.
- Restrict the Airflow Variables.can_read permission to administrative roles until the upgrade is complete.
# Configuration example
pip install --upgrade 'apache-airflow==3.2.2'
airflow db migrate
systemctl restart airflow-webserver airflow-scheduler
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
