PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42526 Apache Software Foundation CVE debrief

CVE-2026-42526 is a confidentiality issue in the experimental multi-tenant teams feature of apache-airflow-providers-amazon. In the AWS Secrets Manager and SSM Parameter Store secrets backends, a team-scoping collision could let a privileged caller without team context retrieve another team's secret by choosing a conn_id that mapped to the same path. The issue was fixed in 9.28.0 by changing the separator used for team-scoped paths and by rejecting team-shaped conn_id values when no team context is present.

Vendor
Apache Software Foundation
Product
Apache Airflow Amazon provider
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-19
Advisory published
2026-05-19
Advisory updated
2026-05-19

Who should care

Administrators and platform teams running Apache Airflow with apache-airflow-providers-amazon, especially deployments using the experimental multi-tenant teams feature and the AWS Secrets Manager or SSM Parameter Store secrets backends. Security teams should pay attention if privileged service accounts can access the secrets backend without an associated team context.

Technical summary

The bug affects the team-scoping logic in the Amazon provider's secrets backends. When a caller had no team context, a conn_id containing '/' could resolve to the same storage path as another team's team-scoped secret, creating a path collision. A privileged caller could therefore request a colliding conn_id and retrieve a secret that belonged to a different team. The fix in version 9.28.0 switches the team-scope separator to '--' and rejects team-shaped conn_id values when team context is absent. The provided NVD metadata maps the issue to CWE-863 and to CVSS 3.1 vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N.

Defensive priority

Medium-to-high. The flaw can expose secrets across team boundaries, which is serious in a multi-tenant environment, but it is limited to the experimental teams feature and requires privileged access without team context rather than unauthenticated access.

Recommended defensive actions

  • Upgrade apache-airflow-providers-amazon to 9.28.0 or later.
  • If you use the experimental multi-tenant teams feature, review which callers can access the AWS Secrets Manager and SSM Parameter Store backends without team context.
  • Audit for unexpected secret reads involving team-scoped conn_id values, especially where team names or conn_id values may contain '/'.
  • Validate in staging that the upgraded provider rejects team-shaped conn_id values when no team context is present.
  • Reassess any automation or service accounts that depend on implicit path resolution for secrets access.

Evidence notes

The supplied source snapshot shows CVE-2026-42526 published and modified on 2026-05-19. NVD lists the vulnerability as 'Awaiting Analysis' and includes references to an Apache Airflow pull request, an Apache security mailing list thread, and an OSS-security archive post. The provided description states the affected components, the collision condition, the 9.28.0 fix, and that only the experimental multi-tenant teams feature is impacted. The NVD metadata also provides CVSS 3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N and CWE-863.

Official resources

Publicly disclosed on 2026-05-19 through Apache security references and reflected in the CVE/NVD records on the same date. The provided NVD snapshot shows the entry as 'Awaiting Analysis' at that time.