GHSA-gfw7-2v73-69wg

When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG.

The issue has been fixed in Airflow 3.1.5rc1 and 2.11.1, and users are strongly advised to upgrade to prevent potential disclosure of sensitive information.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-25T15:42:56Z",
    "severity": "MODERATE",
    "nvd_published_at": "2026-02-21T03:15:57Z",
    "cwe_ids": [
        "CWE-209"
    ]
}

References

Affected packages

PyPI / apache-airflow

Package

Name: apache-airflow; View open source insights on deps.dev
Purl: pkg:pypi/apache-airflow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.1

Affected versions

1.*

1.8.1

1.8.2rc1

1.8.2

1.9.0

1.10.0

1.10.1b1

1.10.1rc2

1.10.1

1.10.2b2

1.10.2rc1

1.10.2rc2

1.10.2rc3

1.10.2

1.10.3b1

1.10.3b2

1.10.3rc1

1.10.3rc2

1.10.3

1.10.4b2

1.10.4rc1

1.10.4rc2

1.10.4rc3

1.10.4rc4

1.10.4rc5

1.10.4

1.10.5rc1

1.10.5

1.10.6rc1

1.10.6rc2

1.10.6

1.10.7rc1

1.10.7rc2

1.10.7rc3

1.10.7

1.10.8rc1

1.10.8

1.10.9rc1

1.10.9

1.10.10rc1

1.10.10rc2

1.10.10rc3

1.10.10rc4

1.10.10rc5

1.10.10

1.10.11rc1

1.10.11rc2

1.10.11

1.10.12rc1

1.10.12rc2

1.10.12rc3

1.10.12rc4

1.10.12

1.10.13rc1

1.10.13

1.10.14rc1

1.10.14rc2

1.10.14rc3

1.10.14rc4

1.10.14

1.10.15rc1

1.10.15

2.*

2.0.0b1

2.0.0b2

2.0.0b3

2.0.0rc1

2.0.0rc2

2.0.0rc3

2.0.0

2.0.1rc1

2.0.1rc2

2.0.1

2.0.2rc1

2.0.2

2.1.0rc1

2.1.0rc2

2.1.0

2.1.1rc1

2.1.1

2.1.2rc1

2.1.2

2.1.3rc1

2.1.3

2.1.4rc1

2.1.4rc2

2.1.4

2.2.0b1

2.2.0b2

2.2.0rc1

2.2.0

2.2.1rc1

2.2.1rc2

2.2.1

2.2.2rc1

2.2.2rc2

2.2.2

2.2.3rc1

2.2.3rc2

2.2.3

2.2.4rc1

2.2.4

2.2.5rc1

2.2.5rc2

2.2.5rc3

2.2.5

2.3.0b1

2.3.0rc1

2.3.0rc2

2.3.0

2.3.1rc1

2.3.1

2.3.2rc1

2.3.2rc2

2.3.2

2.3.3rc1

2.3.3rc2

2.3.3rc3

2.3.3

2.3.4rc1

2.3.4

2.4.0b1

2.4.0rc1

2.4.0

2.4.1rc1

2.4.1

2.4.2rc1

2.4.2

2.4.3rc1

2.4.3

2.5.0rc1

2.5.0rc2

2.5.0rc3

2.5.0

2.5.1rc1

2.5.1rc2

2.5.1

2.5.2rc1

2.5.2rc2

2.5.2

2.5.3rc1

2.5.3rc2

2.5.3

2.6.0b1

2.6.0rc1

2.6.0rc2

2.6.0rc3

2.6.0rc4

2.6.0rc5

2.6.0

2.6.1rc1

2.6.1rc2

2.6.1rc3

2.6.1

2.6.2rc1

2.6.2rc2

2.6.2

2.6.3rc1

2.6.3

2.7.0b1

2.7.0rc1

2.7.0rc2

2.7.0

2.7.1rc1

2.7.1rc2

2.7.1

2.7.2rc1

2.7.2

2.7.3rc1

2.7.3

2.8.0b1

2.8.0rc1

2.8.0rc2

2.8.0rc3

2.8.0rc4

2.8.0

2.8.1rc1

2.8.1

2.8.2rc1

2.8.2rc2

2.8.2rc3

2.8.2

2.8.3rc1

2.8.3

2.8.4rc1

2.8.4

2.9.0b1

2.9.0b2

2.9.0rc1

2.9.0rc2

2.9.0rc3

2.9.0

2.9.1rc1

2.9.1rc2

2.9.1

2.9.2rc1

2.9.2

2.9.3rc1

2.9.3

2.10.0b1

2.10.0b2

2.10.0rc1

2.10.0

2.10.1rc1

2.10.1

2.10.2rc1

2.10.2

2.10.3rc1

2.10.3rc2

2.10.3

2.10.4rc1

2.10.4

2.10.5rc1

2.10.5

2.11.0rc1

2.11.0

2.11.1rc1

2.11.1rc2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-gfw7-2v73-69wg/GHSA-gfw7-2v73-69wg.json"

PyPI / apache-airflow

Package

Name: apache-airflow; View open source insights on deps.dev
Purl: pkg:pypi/apache-airflow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0b1

Fixed

3.1.5rc1

Affected versions

3.*

3.0.0b4

3.0.0rc1

3.0.0rc1.post1

3.0.0rc1.post2

3.0.0rc1.post3

3.0.0rc1.post4

3.0.0rc2

3.0.0rc3

3.0.0rc4

3.0.0

3.0.1rc1

3.0.1

3.0.2rc1

3.0.2rc2

3.0.2

3.0.3rc1

3.0.3rc2

3.0.3rc3

3.0.3rc4

3.0.3rc5

3.0.3rc6

3.0.3

3.0.4rc1

3.0.4rc2

3.0.4

3.0.5rc1

3.0.5rc2

3.0.5rc3

3.0.5

3.0.6rc1

3.0.6rc2

3.0.6

3.1.0b1

3.1.0b2

3.1.0rc1

3.1.0rc2

3.1.0

3.1.1rc1

3.1.1rc2

3.1.1

3.1.2rc1

3.1.2rc2

3.1.2

3.1.3rc1

3.1.3

3.1.4rc1

3.1.4rc2

3.1.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-gfw7-2v73-69wg/GHSA-gfw7-2v73-69wg.json"