CVE-2026-32690: Apache Airflow Exposes Secrets in Variables Saved as JSON Dictionaries

April 18, 2026 (updated April 22, 2026)

Secrets in Variables saved as JSON dictionaries were not properly redacted - in case the variables were retrieved by the user the secrets stored as nested fields were not masked.

If developers do not store variables with sensitive values in JSON form, their projects are not affected. Otherwise upgrade to the fixed version, Apache Airflow 3.2.0.

References

github.com/advisories/GHSA-w9r4-94fj-xp69
github.com/apache/airflow
github.com/apache/airflow/pull/63480
lists.apache.org/thread/7rnzxofntcznqxnhsmjvvlvygwph7rn5
nvd.nist.gov/vuln/detail/CVE-2026-32690

Code Behaviors & Features

Detect and mitigate CVE-2026-32690 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →