GHSA-w7cf-2pmc-5m4c
Suggest an improvement- Source
- https://github.com/advisories/GHSA-w7cf-2pmc-5m4c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w7cf-2pmc-5m4c/GHSA-w7cf-2pmc-5m4c.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-w7cf-2pmc-5m4c
- Aliases
-
- BIT-airflow-2026-30912
- CVE-2026-30912
- Downstream
- Published
- 2026-04-18T09:30:20Z
- Modified
- 2026-04-22T17:40:58.981593013Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Apache Airflow exposes SQL stack trace despite "api/expose_stack_traces" set to false
- Details
-
In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/exposestacktraces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.
- Database specific
{ "github_reviewed_at": "2026-04-22T17:17:28Z", "cwe_ids": [ "CWE-668" ], "nvd_published_at": "2026-04-18T07:16:10Z", "github_reviewed": true, "severity": "MODERATE" }- References
Affected packages
PyPI / apache-airflow-core
Package
- Name
- apache-airflow-core
- View open source insights on deps.dev
- Purl
- pkg:pypi/apache-airflow-core
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.2.0
Affected versions
3.*
3.0.0rc1
3.0.0rc1.post1
3.0.0rc1.post2
3.0.0rc1.post3
3.0.0rc1.post4
3.0.0rc2
3.0.0rc3
3.0.0rc4
3.0.0
3.0.1rc1
3.0.1
3.0.2rc1
3.0.2rc2
3.0.2
3.0.3rc1
3.0.3rc2
3.0.3rc3
3.0.3rc4
3.0.3rc5
3.0.3rc6
3.0.3
3.0.4rc1
3.0.4rc2
3.0.4
3.0.5rc1
3.0.5rc2
3.0.5rc3
3.0.5
3.0.6rc1
3.0.6rc2
3.0.6
3.1.0b1
3.1.0b2
3.1.0rc1
3.1.0rc2
3.1.0
3.1.1rc1
3.1.1rc2
3.1.1
3.1.2rc1
3.1.2rc2
3.1.2
3.1.3rc1
3.1.3
3.1.4rc1
3.1.4rc2
3.1.4
3.1.5rc1
3.1.5
3.1.6rc1
3.1.6
3.1.7rc1
3.1.7rc2
3.1.7
3.1.8rc1
3.1.8rc2
3.1.8
3.2.0b1
3.2.0b2
3.2.0rc1
3.2.0rc2