Platform
python
Component
apache-airflow
Fixed in
3.2.0
3.2.0
CVE-2026-32690 describes a vulnerability in Apache Airflow where secrets stored as JSON dictionaries within Variables were not properly redacted. This means that if a user retrieved these variables, the secrets contained within nested fields could be exposed. The vulnerability affects versions 3.0.0 through 3.2.0 of Apache Airflow, and a fix has been implemented in version 3.2.0.
The primary impact of CVE-2026-32690 is the potential for information disclosure. Attackers who can access Airflow Variables, particularly those stored as JSON dictionaries, could inadvertently expose sensitive data such as API keys, database passwords, or other credentials. This exposure could lead to unauthorized access to systems and data, potentially enabling further attacks. The blast radius is limited to systems accessible through Airflow and reliant on the exposed secrets. While not a direct RCE, the compromise of secrets can be a stepping stone to more severe breaches.
CVE-2026-32690 was publicly disclosed on 2026-04-18. There is no indication of active exploitation or KEV listing at this time. Public proof-of-concept code is not currently available, but the vulnerability's nature makes it likely that such code will emerge. The EPSS score is currently unknown, pending further analysis.
Exploit Status
EPSS
0.10% (28% percentile)
The primary mitigation for CVE-2026-32690 is to upgrade Apache Airflow to version 3.2.0 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider restricting access to Airflow Variables to authorized users only. Avoid storing sensitive information as nested JSON dictionaries within Airflow Variables. If you must store secrets, consider using Airflow's Connections feature, which provides more secure storage and access control. There are no WAF rules or specific detection signatures readily available for this vulnerability, as it's primarily a configuration issue.
Update Apache Airflow to version 3.2.0 or higher to prevent the exposure of secrets stored in JSON variables. Review your variable configuration and avoid storing sensitive information in JSON format if not strictly necessary. Consult the official Apache Airflow documentation for more details on secure variable management.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32690 is a vulnerability in Apache Airflow (versions 3.0.0–3.2.0) where secrets stored as JSON dictionaries within Variables were not properly redacted, potentially exposing sensitive data to users.
You are affected if you are using Apache Airflow versions 3.0.0 through 3.2.0 and store sensitive information as nested JSON dictionaries within Airflow Variables.
Upgrade Apache Airflow to version 3.2.0 or later to resolve this vulnerability. Avoid storing sensitive data as nested JSON dictionaries.
There is currently no public information indicating active exploitation of CVE-2026-32690.
Refer to the Apache Airflow security advisories on the Apache Foundation website for the official advisory regarding CVE-2026-32690.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.