CVE-2026-48892

ADVISORY - pypa

Summary

The Config API in Apache Airflow surfaced per-key secrets-backend overrides (environment variables like AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID and AIRFLOW__WORKERS__SECRETS_BACKEND_KWARG__SECRET_ID) as synthetic config options whose option names were not in sensitive_config_values, so the masker did not redact them. An authenticated UI/API user with Config read permission could retrieve plaintext secrets-backend credentials (Vault role_id / secret_id, etc.) from the Config API output. Affects deployments that configure secrets backends via per-key environment overrides. Users are advised to upgrade to apache-airflow 3.3.0 or later.

EPSS Score: 0.00438 (0.352)

Common Weakness Enumeration (CWE)


Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in