CVE-2026-45192 | THREATINT

Description

A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenticated UI/API user with Connection-read permission to retrieve secrets stored in a Connection's `extra` JSON blob under field names not present in the redaction allowlist (`DEFAULT_SENSITIVE_FIELDS`) — for example, official Slack-provider credential field names were returned in plaintext. Affects deployments that store credentials in Connection `extra` blobs and grant Connection-read access to multiple users. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deployment operators can store sensitive credential values in a secret-backend rather than inlined into the Connection's `extra` field.

PUBLISHED Reserved 2026-05-10 | Published 2026-06-01 | Updated 2026-06-01 | Assigner apache

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Product status

Default status

unaffected

Any version before 3.2.2

affected

Credits

Or Sahar, Secure From Scratch finder

Jarek Potiuk (@potiuk) remediation developer

References

www.openwall.com/lists/oss-security/2026/06/01/3

github.com/apache/airflow/pull/66673 patch

lists.apache.org/thread/r2q93dg2wp5h9sd9vh6y4y5ljqd9crdd vendor-advisory

cve.org (CVE-2026-45192)

nvd.nist.gov (CVE-2026-45192)

Download JSON