CVE-2026-42360

MEDIUM EPSS 25.3%

Published Jun 1, 20264w ago · Modified Jun 17, 20261w ago

6.5 CVSS 3.1

Medium

Published Jun 1, 2026 4w ago

Last Modified Jun 17, 2026 1w ago

Description

A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. nested `password` / `token` / `secret` / `api_key` keys inside a JSON template structure) to be bypassed when the rendered field exceeded `[core] max_templated_field_length`: Airflow stringified the structure before redaction, losing the nested key context, and persisted the plaintext value into `rendered_fields`. An authenticated UI/API user with permission to read rendered template fields could harvest secret values intended to be masked. Affects deployments where Dag authors pass structured JSON to operators with nested sensitive keys. This is a variant of `CWE-200` previously addressed for the user-registered `mask_secret()` patterns in CVE-2025-68438; that fix did not cover the nested sensitive-keyword allowlist. Users who already upgraded for CVE-2025-68438 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the nested-key path.

CVSS Details

Base Score

6.5

Exploitability

2.8

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality High

Integrity None

Availability None

Threat Intelligence

EPSS Exploit Probability

25.3% percentile

Exploit & Patch Status

No Known Exploit

Patch Available

Weaknesses 1

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure

Affected Products 1

Vendor	Product	Version	Range
apache	airflow	*	<3.2.2

References 2

github.com https://github.com/apache/airflow/pull/65906

Issue TrackingPatch
lists.apache.org https://lists.apache.org/thread/obj79bpxnl7r5olz1gsn0g94y88glnl4

Mailing ListVendor Advisory

Remediation

github.com https://github.com/apache/airflow/pull/65906

Issue TrackingPatch