Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
8Blast Radius
ecosystem impact- 10 pypi packages depend on apache-airflow (1 direct, 9 indirect)
- 10 pypi packages depend on apache-airflow-core (2 direct, 8 indirect)
Ecosystem-wide dependent count for version 3.2.0 and other introduced versions.
DescriptionCVE.org
In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.
AnalysisAI
Apache Airflow before 3.2.0 exposes SQL exception stack traces through API responses despite api/expose_stack_traces=false configuration, allowing remote unauthenticated attackers to enumerate database schema details, table names, query structure, and internal filesystem paths. CVSS 7.5 (High) with network vector and no authentication required. EPSS score of 0.02% (4th percentile) indicates low probability of widespread exploitation. Vendor patch available in Airflow 3.2.0 per Apache advisory. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.
Technical ContextAI
Apache Airflow is a workflow orchestration platform that uses SQL databases (PostgreSQL, MySQL, etc.) for metadata storage and task state management. The vulnerability stems from improper exception handling (CWE-668: Exposure of Resource to Wrong Sphere) in the API layer. When SQL queries fail-due to syntax errors, constraint violations, or database connectivity issues-the API returns raw exception objects containing stack traces. These traces leak implementation details including database schema structure, table/column names, SQL query fragments, Python file paths, library versions, and database driver information. The api/expose_stack_traces configuration flag was intended to suppress this debug information in production deployments but was bypassed for SQL-specific exceptions, effectively nullifying the security control.
RemediationAI
Upgrade to Apache Airflow 3.2.0 or later, which implements proper exception sanitization in API responses per GitHub PR #63028 (https://github.com/apache/airflow/pull/63028). The patch enforces api/expose_stack_traces configuration for all exception types including SQL errors. For environments unable to immediately upgrade, implement compensating controls: deploy a reverse proxy (nginx, Apache httpd, or cloud WAF) to filter API responses, stripping 'traceback' and 'exception' fields from JSON payloads (note: may break legitimate error handling in admin tools); restrict API access to trusted networks via firewall rules or VPC security groups, reducing exposure to internal users only (trade-off: limits remote monitoring capabilities); enable detailed API request logging to detect reconnaissance attempts through repeated error responses (high false-positive rate from legitimate client errors). These workarounds reduce attack surface but do not eliminate the vulnerability-prioritize patching for production systems.
Same weakness CWE-668 – Exposure of Resource to Wrong Sphere
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23662
GHSA-w7cf-2pmc-5m4c