Skip to main content

Apache CVE-2026-30912

| EUVDEUVD-2026-23662 HIGH
Exposure of Resource to Wrong Sphere (CWE-668)
2026-04-18 apache GHSA-w7cf-2pmc-5m4c
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

8
Analysis Updated
Apr 21, 2026 - 14:59 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 20, 2026 - 19:07 vuln.today
cvss_changed
Analysis Generated
Apr 20, 2026 - 17:54 vuln.today
CVSS changed
Apr 20, 2026 - 17:52 NVD
7.5 (HIGH)
EUVD ID Assigned
Apr 18, 2026 - 07:00 euvd
EUVD-2026-23662
Analysis Generated
Apr 18, 2026 - 07:00 vuln.today
Patch released
Apr 18, 2026 - 07:00 nvd
Patch available
CVE Published
Apr 18, 2026 - 06:20 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 10 pypi packages depend on apache-airflow (1 direct, 9 indirect)
  • 10 pypi packages depend on apache-airflow-core (2 direct, 8 indirect)

Ecosystem-wide dependent count for version 3.2.0 and other introduced versions.

DescriptionCVE.org

In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.

AnalysisAI

Apache Airflow before 3.2.0 exposes SQL exception stack traces through API responses despite api/expose_stack_traces=false configuration, allowing remote unauthenticated attackers to enumerate database schema details, table names, query structure, and internal filesystem paths. CVSS 7.5 (High) with network vector and no authentication required. EPSS score of 0.02% (4th percentile) indicates low probability of widespread exploitation. Vendor patch available in Airflow 3.2.0 per Apache advisory. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.

Technical ContextAI

Apache Airflow is a workflow orchestration platform that uses SQL databases (PostgreSQL, MySQL, etc.) for metadata storage and task state management. The vulnerability stems from improper exception handling (CWE-668: Exposure of Resource to Wrong Sphere) in the API layer. When SQL queries fail-due to syntax errors, constraint violations, or database connectivity issues-the API returns raw exception objects containing stack traces. These traces leak implementation details including database schema structure, table/column names, SQL query fragments, Python file paths, library versions, and database driver information. The api/expose_stack_traces configuration flag was intended to suppress this debug information in production deployments but was bypassed for SQL-specific exceptions, effectively nullifying the security control.

RemediationAI

Upgrade to Apache Airflow 3.2.0 or later, which implements proper exception sanitization in API responses per GitHub PR #63028 (https://github.com/apache/airflow/pull/63028). The patch enforces api/expose_stack_traces configuration for all exception types including SQL errors. For environments unable to immediately upgrade, implement compensating controls: deploy a reverse proxy (nginx, Apache httpd, or cloud WAF) to filter API responses, stripping 'traceback' and 'exception' fields from JSON payloads (note: may break legitimate error handling in admin tools); restrict API access to trusted networks via firewall rules or VPC security groups, reducing exposure to internal users only (trade-off: limits remote monitoring capabilities); enable detailed API request logging to detect reconnaissance attempts through repeated error responses (high false-positive rate from legitimate client errors). These workarounds reduce attack surface but do not eliminate the vulnerability-prioritize patching for production systems.

Share

CVE-2026-30912 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy