Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-49487

CVE-2026-49487: Apache Airflow Information Disclosure Flaw

CVE-2026-49487 is an information disclosure vulnerability in Apache Airflow that exposes secrets in deferred task trigger kwargs via REST API. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-49487 Overview

CVE-2026-49487 is a sensitive information disclosure vulnerability in Apache Airflow versions prior to 3.3.0. The REST API task-instance detail and list endpoints returned a deferred task's trigger kwargs without masking. Any authenticated user with DAG-scoped task-instance read access could read secrets, such as provider API keys, in clear text while the task was in a deferred state. The flaw is tracked under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.

Critical Impact

Authenticated users with read access to a DAG's task instances can retrieve unmasked secrets passed into deferred operator triggers, leading to unauthorized disclosure of provider credentials and API keys.

Affected Products

  • Apache Airflow versions before 3.3.0
  • Deployments exposing the Airflow REST API to authenticated users
  • Environments using deferred operators that pass secrets into trigger kwargs

Discovery Timeline

  • 2026-07-07 - CVE-2026-49487 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-49487

Vulnerability Analysis

Apache Airflow supports deferrable operators that suspend execution and hand off control to a Triggerer process. During suspension, the operator serializes its trigger and associated kwargs into the metadata database. These kwargs frequently contain sensitive material such as provider API keys, connection secrets, or authentication tokens passed by the operator to the trigger.

The REST API task-instance detail and list endpoints returned the trigger kwargs field verbatim in JSON responses. Airflow's existing secret masking logic, which suppresses sensitive values in logs and rendered templates, was not applied to this API surface. Any authenticated caller with DAG-scoped read permission for a task instance could therefore retrieve plaintext secrets while the task remained deferred.

Root Cause

The root cause is a missing sanitization step in the API serializer for deferred task instances. Trigger kwargs were persisted and returned as raw structured data. The secrets masker was not invoked on the response payload before it was transmitted to the client.

Attack Vector

Exploitation requires network access to the Airflow REST API and valid credentials with task-instance read permission on the target DAG. The attacker queries the task-instance detail or list endpoint for a DAG containing a deferred operator that passes secrets to its trigger. The response includes the unmasked trigger kwargs. The vulnerability affects confidentiality only; integrity and availability are not impacted. See the Apache Airflow security advisory and GitHub Pull Request #67868 for technical details of the fix.

Detection Methods for CVE-2026-49487

Indicators of Compromise

  • Unexpected authenticated GET requests against /api/v1/dags/{dag_id}/dagRuns/{run_id}/taskInstances or task-instance detail endpoints from unusual source addresses.
  • API access patterns targeting DAGs known to contain deferrable operators handling credentials.
  • Response payloads from the Airflow API containing values that resemble API keys or tokens in the trigger.kwargs field.

Detection Strategies

  • Review Airflow webserver access logs for enumeration of task-instance endpoints, particularly targeting deferred tasks.
  • Correlate API authentication events with user roles to identify accounts abusing DAG-scoped read permissions.
  • Inspect response bodies at an API gateway or reverse proxy for known secret patterns leaving the Airflow deployment.

Monitoring Recommendations

  • Enable audit logging on all Airflow REST API endpoints and forward events to a central SIEM for retention and correlation.
  • Alert on high-volume task-instance queries from a single principal or session.
  • Track upgrades to apache-airflow 3.3.0 across environments and flag deployments still running affected versions.

How to Mitigate CVE-2026-49487

Immediate Actions Required

  • Upgrade Apache Airflow to version 3.3.0 or later, which masks sensitive values in trigger kwargs returned by the API.
  • Rotate any provider API keys, tokens, or credentials that may have been exposed through deferred trigger kwargs on affected versions.
  • Audit DAG-scoped task-instance read permissions and remove access for accounts that do not require it.

Patch Information

The fix is delivered in apache-airflow 3.3.0. The patch applies the existing secrets masker to trigger kwargs in the task-instance API serializer. Details are available in GitHub Pull Request #67868 and the Openwall OSS Security announcement.

Workarounds

  • Restrict Airflow REST API access to trusted networks using firewall rules or a reverse proxy until the upgrade is applied.
  • Refactor deferrable operators to retrieve secrets inside the trigger from Airflow Connections or a secrets backend rather than passing them through trigger kwargs.
  • Reduce user permissions so that only operators who require task-instance visibility retain DAG-scoped read access.
bash
# Upgrade Apache Airflow to a fixed release
pip install --upgrade "apache-airflow>=3.3.0"

# Verify the installed version
airflow version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.