GHSA-33g2-gx67-c2h3
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
6Blast Radius
ecosystem impact- 8 pypi packages depend on apache-airflow (4 direct, 4 indirect)
Ecosystem-wide dependent count for version 3.2.2.
Description PRE-NVD
AnalysisAI
The SecretsMasker component in Apache Airflow prior to 3.2.2 returns cleartext sensitive values when those values are stored under recognized sensitive key names (password, token, secret, api_key) nested deeper than five dict levels in structured payloads. Authenticated low-privilege users can craft dag_run.conf or XCom payloads exceeding this depth threshold, causing secrets to surface in task logs, rendered templates, and API responses. No public exploit code exists and EPSS is 0.02% at the 5th percentile - this is not confirmed actively exploited (not in CISA KEV) - but the CVSS confidentiality impact is rated High given that the bypass can expose real credentials to any user who can review logs.
Technical ContextAI
The root cause (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) lives in _redact_all() within airflow_shared/secrets_masker/secrets_masker.py (CPE: cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*). Prior to the fix, a single depth > max_depth guard (max_depth defaulting to 5) controlled the entire recursive descent, covering both key-name-based redaction and pattern-based string masking. When a dict containing a sensitive key was nested at depth 6 or beyond, the function short-circuited and returned the subtree unchanged rather than evaluating key names. The PR #65912 fix decouples these two behaviors: dict traversal for key-name-based redaction is now unbounded (relying on Python's own recursion limit and a fail-closed <redaction-failed> except clause for self-referential structures), while the depth cap is retained only for the computationally expensive pattern-based string masking pass. Test cases in the PR confirm that password, token, secret, and api_key are correctly masked at depths 5, 6, and 7 post-fix.
RemediationAI
Upgrade to Apache Airflow 3.2.2 or later, which includes the restructured SecretsMasker from PR #65912 (https://github.com/apache/airflow/pull/65912). The patched release ensures key-name-based redaction traverses dict structures at any nesting depth, eliminating the bypass. If immediate upgrade is not feasible, enforce a policy that sensitive credentials stored in dag_run.conf or XCom payloads are placed at a nesting depth of four or fewer levels, keeping them within the existing max_depth guard - note this is a fragile workaround and does not fix the underlying defect. Additionally, restrict task log access and the rendered-template view in the Airflow UI to the minimum set of trusted users, reducing the surface area for credential harvesting. Review existing task logs for any instances of cleartext sensitive key names (password, token, secret, api_key) that may have been exposed prior to patching. The vendor advisory is at https://lists.apache.org/thread/33635mv3zjb75wn5453c5yf9trs8x2om.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33589