CVE-2026-42358 Apache Software Foundation CVE debrief

Who should care

Apache Airflow operators storing secrets in JSON Variables; security teams managing Airflow RBAC; organizations that applied the CVE-2026-32690 patch and assumed complete remediation

Technical summary

The shared secrets masker in Apache Airflow recursively processes JSON Variable values to redact sensitive keys based on name suffixes. When nesting depth exceeds the masker's recursion limit, the masker short-circuits and returns the original nested item before performing the key-name sensitivity check. This allows plaintext extraction of secrets stored under sensitive key names at sufficient nesting depth. The vulnerability affects deployments using deeply-nested JSON Variables for secret storage. The fix in apache-airflow 3.2.2 corrects the masker's depth-boundary handling to ensure key-name checks occur before recursion-limit short-circuit.

Defensive priority

high

Recommended defensive actions

• Upgrade apache-airflow to version 3.2.2 or later to obtain the corrected secrets masker recursion handling
• If already upgraded for CVE-2026-32690, verify the additional 3.2.2+ upgrade is applied as the prior fix did not raise the depth-limit boundary
• Audit existing Airflow Variables for sensitive key names (password, token, secret, api_key) stored at nesting depths that may exceed masker recursion limits
• Review Variable read permissions to ensure least-privilege access for UI/API users
• Monitor Variable access logs for anomalous retrieval patterns targeting deeply-nested JSON structures

Evidence notes

CVE published 2026-06-01. Apache security advisory references confirm CWE-200 (Information Exposure) classification. Pull request #65912 and mailing list thread provide vendor remediation path.

Official resources