Platform
python
Component
apache-airflow
Fixed in
3.2.0
3.2.0
CVE-2026-30912 describes an information disclosure vulnerability affecting Apache Airflow versions from 0.0.0 through 3.2.0. This flaw allows attackers to view exception stack traces through the API, even when the api/exposestacktraces setting is configured to false. The exposure of these stack traces can reveal sensitive information about the Airflow environment and potentially aid in further attacks. A fix is available in Apache Airflow 3.2.0.
The primary impact of CVE-2026-30912 is the potential exposure of sensitive information contained within exception stack traces. Attackers could leverage this information to gain insights into the internal workings of the Airflow deployment, including database connection strings, file paths, and potentially even credentials. While the vulnerability doesn't directly lead to code execution, the information gained could be used to identify other vulnerabilities or weaknesses within the system. This could facilitate privilege escalation or data exfiltration. The risk is amplified in environments where Airflow is used to orchestrate sensitive data pipelines or interact with critical systems.
CVE-2026-30912 was publicly disclosed on 2026-04-18. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the ease of exploitation suggests that they could emerge. The vulnerability's impact is primarily informational, but the potential for information leakage warrants prompt remediation.
Exploit Status
EPSS
0.08% (23% percentile)
The recommended mitigation for CVE-2026-30912 is to upgrade to Apache Airflow version 3.2.0 or later, which includes the fix for this vulnerability. If upgrading immediately is not feasible, consider temporarily restricting access to the Airflow API to trusted users and networks. Review Airflow logs for any unusual activity that might indicate exploitation attempts. While not a direct mitigation, ensuring robust input validation and sanitization throughout your Airflow DAGs can help reduce the risk of information leakage through other channels. After upgrading, confirm the fix by attempting to trigger an error through the API while api/exposestacktraces is set to false – the stack trace should not be displayed.
Update Apache Airflow to version 3.2.0 or higher to prevent stack traces from being exposed in case of SQL errors. This update corrects the vulnerability by ensuring that stack traces are not exposed through the API, even when 'api/expose_stack_traces' is disabled.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-30912 is a vulnerability in Apache Airflow versions 0.0.0–3.2.0 where exception stack traces can be exposed through the API, even when stack trace exposure is disabled, potentially revealing sensitive information.
You are affected if you are running Apache Airflow versions 0.0.0 through 3.2.0 and have not yet upgraded to a patched version.
Upgrade to Apache Airflow version 3.2.0 or later to remediate this vulnerability. Temporarily restrict API access if immediate upgrade is not possible.
There is currently no indication of active exploitation campaigns, but the ease of exploitation suggests potential for future attacks.
Refer to the Apache Airflow security advisories on the Apache project website for the latest information: https://airflow.apache.org/security/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.