CVE-2026-32690

CVE-2026-32690: Apache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1

Vendor Apache Software Foundation

Product Apache Airflow

Weakness CWE-668

Published April 18, 2026

Last update April 20, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented

Key dates

Disclosure timeline

April 18, 2026 CVE published

April 20, 2026 Record updated