| ID |
CVE-2026-49487
|
| Sažetak |
In Apache Airflow before 3.3.0, the REST API task-instance detail and list
endpoints returned a deferred task's trigger kwargs without masking. When a
deferred operator passed a secret (for example a provider API key) into its
trigger, any authenticated user with DAG-scoped task-instance read access for
that DAG could read that secret in clear text while the task was deferred.
Users should upgrade to apache-airflow 3.3.0 or later, which masks sensitive
values in trigger kwargs returned by the API. |
| Reference |
|
| CVSS |
| Base: | 6.5 |
| Impact: | 3.6 |
| Exploitability: | 2.8 |
|
| Pristup |
| Vektor | Složenost | Autentikacija |
| NETWORK |
LOW |
LOW |
|
| Impact |
| Povjerljivost | Cjelovitost | Dostupnost |
| HIGH |
NONE |
NONE |
|
| CVSS vektor |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| Zadnje važnije ažuriranje |
09-07-2026 - 13:17 |
| Objavljeno |
07-07-2026 - 10:16 |