CVE-2026-45192 Overview
CVE-2026-45192 is an information disclosure vulnerability in Apache Airflow's REST API. The GET /api/v2/connections/{connection_id} endpoint failed to redact secrets stored in a Connection's extra JSON blob when field names were absent from the DEFAULT_SENSITIVE_FIELDS allowlist. An authenticated user with Connection-read permission could retrieve plaintext credentials, including official Slack-provider credential field names. The flaw maps to [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor]. Deployments that inline credentials in Connection extra blobs and grant Connection-read access to multiple users are affected. Apache published a fix in apache-airflow 3.2.2.
Critical Impact
Authenticated low-privilege users with Connection-read access can retrieve plaintext secrets stored in Connection extra fields, exposing third-party credentials such as Slack provider tokens.
Affected Products
- Apache Airflow versions prior to 3.2.2
- Deployments storing credentials inline in Connection extra JSON blobs
- Environments granting Connection-read permission to multiple UI/API users
Discovery Timeline
- 2026-06-01 - CVE-2026-45192 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-45192
Vulnerability Analysis
The vulnerability resides in the GET /api/v2/connections/{connection_id} REST API endpoint. Apache Airflow stores Connection objects that include an extra field — a JSON blob used by provider packages to carry additional configuration and, frequently, secret material such as API tokens. To protect those secrets from disclosure, Airflow maintains an allowlist named DEFAULT_SENSITIVE_FIELDS that drives redaction of known sensitive key names in API responses.
The redaction logic relied exclusively on this allowlist matching. Field names used by provider packages — including official Slack-provider credential keys — were not enumerated in DEFAULT_SENSITIVE_FIELDS. The endpoint returned those values verbatim. Any authenticated user with Connection-read permission could call the endpoint and read the secrets in plaintext.
Root Cause
The root cause is an incomplete denylist/allowlist design for sensitive data redaction. The redaction routine matched on a fixed set of field names rather than treating the entire extra blob as sensitive by default or consulting the provider package metadata that defines which fields hold credentials. Provider-specific credential field names introduced by third-party packages bypassed redaction entirely.
Attack Vector
Exploitation requires network access to the Airflow web server and valid credentials with Connection-read permission. An attacker issues an HTTP GET request to /api/v2/connections/{connection_id} for any Connection of interest. The response body returns the extra JSON blob with non-allowlisted sensitive fields in plaintext. No user interaction or elevated privileges are required beyond the read role. Refer to the Apache Airflow Pull Request #66673 and the Apache Mailing List Thread for technical details.
Detection Methods for CVE-2026-45192
Indicators of Compromise
- Repeated GET requests to /api/v2/connections/{connection_id} from a single authenticated user enumerating multiple connection IDs.
- Web server access logs showing API token or session-authenticated reads against the Connections endpoint outside normal operator workflows.
- Unexpected use of credentials harvested from Connection extra fields, such as Slack tokens authenticating from unfamiliar IPs.
Detection Strategies
- Audit Airflow audit logs and reverse proxy logs for high-volume Connection read patterns by non-administrator accounts.
- Correlate Airflow API access logs with downstream provider authentication events to identify credential misuse following Connection reads.
- Review role assignments and identify all users currently granted Connection-read permission.
Monitoring Recommendations
- Forward Airflow webserver and audit logs to a central SIEM and alert on enumeration patterns against /api/v2/connections/.
- Monitor secret-backend access patterns and provider-side authentication telemetry (e.g., Slack admin audit logs) for anomalous source IPs or clients.
- Track upgrades across all Airflow deployments to confirm version 3.2.2 or later is running.
How to Mitigate CVE-2026-45192
Immediate Actions Required
- Upgrade apache-airflow to version 3.2.2 or later on all schedulers, webservers, and workers.
- Rotate any credentials previously stored in Connection extra JSON blobs, especially provider tokens such as Slack credentials.
- Review and restrict Connection-read permissions to the minimum set of operator accounts that require them.
Patch Information
The fix is included in apache-airflow 3.2.2. The upstream change is tracked in GitHub Pull Request #66673 and announced on the Apache Airflow mailing list. Additional discussion is available on the Openwall OSS-Security list.
Workarounds
- Store sensitive credential values in a configured secret backend (such as HashiCorp Vault, AWS Secrets Manager, or GCP Secret Manager) and reference them from Connections rather than inlining values in extra.
- Audit existing Connections and remove plaintext secrets from extra JSON blobs after migrating to a secret backend.
- Restrict Connection-read role assignments and enforce least privilege in Airflow RBAC until the patch is applied.
# Upgrade Apache Airflow to the patched release
pip install --upgrade "apache-airflow==3.2.2"
# Verify the installed version
airflow version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
