MEDIUM 6.5

CVE-2026-45192: Apache Airflow Connection API Credential Leak – CVSS 6.5

Apache Airflow's connection API endpoint leaks sensitive credentials that should have been hidden. When a user with permission to read connections retrieves connection details via the REST API, the system fails to redact secrets stored in the connection's extra fields if they don't match known credential field names. This means passwords, API keys, and tokens for services like Slack can be exposed to any authenticated user with basic connection-read access—a permission that's often broadly granted in Airflow deployments.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-200
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenticated UI/API user with Connection-read permission to retrieve secrets stored in a Connection's `extra` JSON blob under field names not present in the redaction allowlist (`DEFAULT_SENSITIVE_FIELDS`) — for example, official Slack-provider credential field names were returned in plaintext. Affects deployments that store credentials in Connection `extra` blobs and grant Connection-read access to multiple users. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deployment operators can store sensitive credential values in a secret-backend rather than inlined into the Connection's `extra` field.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The GET `/api/v2/connections/{connection_id}` endpoint in Apache Airflow uses a hardcoded allowlist (`DEFAULT_SENSITIVE_FIELDS`) to identify which JSON keys within a Connection's `extra` blob should be redacted before returning to the caller. The vulnerability stems from the fact that different credential providers use varying field names for the same credential type—official Slack provider fields, for instance, are not in the default allowlist. An authenticated attacker with Connection-read permission can request connection details and receive unredacted secrets for any field name absent from the allowlist, enabling credential exfiltration without further privilege escalation.

Business impact

In multi-user Airflow deployments, this vulnerability enables lateral privilege escalation and credential theft. Users granted standard connection-read access—often necessary for DAG development and troubleshooting—can harvest production credentials for external services (databases, APIs, cloud platforms) embedded in connections. Compromised credentials can then be used to access data warehouses, trigger unauthorized workflows in dependent systems, or pivot to further infrastructure compromise. Organizations with shared Airflow environments or federated access control are at highest risk.

Affected systems

Apache Airflow deployments storing credentials directly in Connection `extra` JSON fields and granting Connection-read permission to multiple users or teams. The vulnerability affects all versions prior to 3.2.2. Deployments that exclusively use secret backends (e.g., Kubernetes Secrets, AWS Secrets Manager) for credential storage are unaffected, as are single-operator or fully trusted environments where all users can already access all secrets.

Exploitability

Exploitability is straightforward: the attacker must already have valid Airflow credentials and Connection-read permission (a common, non-privileged role). No complex multi-step attack or special network access is required—a simple REST API call or UI navigation exposes the secrets. The only barrier is authentication; once inside, extraction is trivial. This makes it a practical, low-friction attack vector in any environment where access control boundaries exist between users.

Remediation

Upgrade Apache Airflow to version 3.2.2 or later, which corrects the redaction logic to properly mask sensitive fields across provider implementations. As a defense-in-depth strategy, operators should migrate credential storage away from inline Connection `extra` fields and into a dedicated secret backend (Kubernetes Secrets, HashiCorp Vault, AWS Secrets Manager, etc.). This eliminates the attack surface entirely and improves credential rotation and audit logging.

Patch guidance

Apply the upgrade to apache-airflow 3.2.2 or later as soon as feasible. If immediate patching is not possible, implement network or API gateway restrictions to limit who can call `/api/v2/connections/*` endpoints, and audit all recent connection API access logs to identify potential credential exfiltration. Verify that your deployment does not expose connection endpoints to untrusted networks. Test the patch in a non-production environment to ensure compatibility with custom providers or middleware before production rollout.

Detection guidance

Monitor Airflow API audit logs for repeated or bulk requests to GET `/api/v2/connections/` endpoints, especially from service accounts or users outside normal DAG development patterns. Search for successful responses containing unredacted credential-like strings (API keys, bearer tokens, passwords) in the `extra` field. Correlate connection API access with subsequent authentication attempts to external systems using harvested credentials. Review IAM and Connection-read permission grants; identify overly broad access and implement least-privilege review. In secret-backend deployments, confirm that Connection `extra` fields remain empty or contain only non-sensitive metadata.

Why prioritize this

A CVSS 6.5 MEDIUM score reflecting high confidentiality impact but no integrity or availability risk. However, the practical severity is elevated by the ease of exploitation, the prevalence of multi-user Airflow setups, and the value of Airflow credentials as a stepping stone to data and compute infrastructure. Prioritize remediation in environments where connection-read permission is granted to development teams, contractors, or cross-functional groups. Single-operator or fully air-gapped deployments can be deprioritized.

Risk score, explained

The CVSS 6.5 score reflects a network-accessible API (AV:N) with low complexity (AC:L) that requires authentication (PR:L) but no user interaction (UI:N), delivering high confidentiality impact (C:H) but no integrity or availability damage (I:N, A:N). The score is appropriate for an information-disclosure flaw in a sensitive API; however, organizational risk depends heavily on deployment topology and access control posture. Environments with strict, role-based connection permissions and secret-backend storage face significantly lower risk than those relying on inline credentials and broad API access.

Frequently asked questions

Do we need to upgrade if we store all credentials in a secret backend and never put sensitive data in Connection extra fields?

No, your deployment is unaffected. The vulnerability applies only to credentials stored inline in the Connection's `extra` JSON blob. If you use Kubernetes Secrets, Vault, or similar backends exclusively, this CVE does not pose a risk to your environment. Continue following your standard patching schedule, but this is not an urgent issue for you.

What should we do if we cannot upgrade immediately?

First, audit Connection-read permissions and identify who has access. Restrict API access to `/api/v2/connections/*` via network controls, API gateway policies, or reverse-proxy rules if possible. Review recent connection API logs for suspicious activity. Second, begin a project to migrate inline credentials to a secret backend; this is a high-value, long-term defense. Third, plan the upgrade as soon as your change-control process allows.

Will the patch break our custom provider plugins or integrations?

The patch corrects redaction logic and should not break integrations. However, if you have custom provider code that relies on unredacted connection fields, it may need adjustment. Test the upgrade in a dev or staging environment before production deployment, and consult the Apache Airflow 3.2.2 release notes for any breaking changes.

How can we detect if an attacker has already exploited this vulnerability in our environment?

Review Airflow API audit logs (if available) for GET requests to `/api/v2/connections/` endpoints with successful 200 responses. Look for patterns of repeated or bulk queries, especially from unexpected users. Cross-reference connection API access with subsequent successful logins or API calls to external systems using credentials that appear in those connections. A SIEM or log aggregation tool can help automate this search. Also audit for any recent credential rotation or unexpected activity in downstream systems (databases, APIs) that might indicate harvested credentials were used.

This analysis is provided for informational purposes and reflects information available as of the publication date. The vulnerability details, affected versions, and patch guidance are based on official Apache Airflow advisories and CVE data. Security teams should independently verify patch version numbers against vendor advisories before deployment. This document does not constitute legal advice or a guarantee of security; implementation decisions should be based on individual risk assessments, organizational policy, and vendor guidance. No exploit code or weaponized proof-of-concept is provided or endorsed. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).