Information disclosure in Apache Airflow - CVE-2026-42360
Published: June 4, 2026
Vulnerability identifier: #VU133381
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-42360
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Airflow
Apache Airflow
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper masking of sensitive information in rendered-template field handling when processing structured JSON templates that exceed the configured maximum templated field length. A remote user can read rendered template fields through the UI or API to disclose sensitive information.
Only deployments where DAG authors pass structured JSON to operators with nested sensitive keys are affected.
How to mitigate CVE-2026-42360
Install security update from vendor's website.