Apache Airflow Exposes Secrets in Variables Saved as JSON Dictionaries

GHSA-w9r4-94fj-xp69 · BIT-airflow-2026-32690 · CVE-2026-32690 · PYSEC-2026-19

Published Apr 18, 2026 · Modified Jun 5, 2026

Description

Secrets in Variables saved as JSON dictionaries were not properly redacted - in case the variables were retrieved by the user the secrets stored as nested fields were not masked.

If developers do not store variables with sensitive values in JSON form, their projects are not affected. Otherwise upgrade to the fixed version, Apache Airflow 3.2.0.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-32690
WEB https://github.com/apache/airflow/pull/63480
PACKAGE https://github.com/apache/airflow
WEB https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-19.yaml
WEB https://lists.apache.org/thread/7rnzxofntcznqxnhsmjvvlvygwph7rn5
WEB http://www.openwall.com/lists/oss-security/2026/04/17/6

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes