CVE-2026-45192
Gravedad CVSS v3.1:
MEDIA
Tipo:
CWE-200
Revelación de información
Fecha de publicación:
01/06/2026
Última modificación:
01/06/2026
Descripción
*** Pendiente de traducción *** A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenticated UI/API user with Connection-read permission to retrieve secrets stored in a Connection's `extra` JSON blob under field names not present in the redaction allowlist (`DEFAULT_SENSITIVE_FIELDS`) — for example, official Slack-provider credential field names were returned in plaintext. Affects deployments that store credentials in Connection `extra` blobs and grant Connection-read access to multiple users. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deployment operators can store sensitive credential values in a secret-backend rather than inlined into the Connection's `extra` field.
Impacto
Puntuación base 3.x
6.50
Gravedad 3.x
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:* | 3.2.2 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página



