Information disclosure in Apache Airflow - CVE-2026-42358
Published: June 4, 2026
Vulnerability identifier: #VU133382
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-42358
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Airflow
Apache Airflow
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper redaction logic in Variable response masker when processing deeply nested JSON Variable values. A remote user can read Variable values containing sensitive keys nested beyond the recursion limit to disclose sensitive information.
Only deployments that store sensitive values inside deeply nested JSON Variables are affected.
How to mitigate CVE-2026-42358
Install security update from vendor's website.