|
|
Message-ID: <85ce3262-1dc8-2cb7-7497-8ae99eda0b89@apache.org> Date: Tue, 07 Jul 2026 08:26:54 +0000 From: Rahul Vats <rahulvats@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2026-48828: Apache Airflow: Bulk JSON Variables bypass should_hide_value_for_key - redact() called without the key Severity: moderate Affected versions: - Apache Airflow (apache-airflow) before 3.3.0 Description: The Bulk Variables API in Apache Airflow called the redactor without passing the variable's key, so the key-based `should_hide_value_for_key` check (which triggers on secret-suffixed key names like `*_password` / `*_token` / `*_secret`) could not fire for JSON-decodable variable values. An authenticated UI/API user with bulk Variable read permission could retrieve plaintext values from JSON variables whose key would otherwise trigger redaction. Affects deployments that store sensitive values in JSON-typed Airflow Variables under secret-suffixed key names. Users are advised to upgrade to `apache-airflow` 3.3.0 or later (the fix landed on `main` after 3.2.2; no 3.2.x backport). Credit: Omkhar Arasaratnam (@omkhar) (finder) Shubham Raj (@shubhamraj-git) (remediation developer) References: https://github.com/apache/airflow/pull/67495 https://airflow.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-48828
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.