CVE-2026-42526

EUVD-2026-30974

19.05.2026, 20:16

In the AWS Secrets Manager and SSM Parameter Store secrets backends of `apache-airflow-providers-amazon` prior to 9.28.0, the team-scoping logic could resolve a `conn_id` containing a `/` (e.g. `"my_team/conn"`) to the same path as another team's team-scoped secret when the caller had no team context. A privileged caller without team context could therefore retrieve another team's secret by crafting a colliding `conn_id`. Fixed in 9.28.0 by switching the team-scope separator to `--` and rejecting team-shaped `conn_id`s when team context is absent. Affects the experimental multi-tenant teams feature only. Users are recommended to upgrade to `apache-airflow-providers-amazon` 9.28.0, which fixes the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-863 - Incorrect Authorization
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

Vulnerability Media Exposure

[GERMAN] Apache Airflow: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in Apache Airflow ausnutzen, um Dateien zu manipulieren und Informationen offenzulegen.
Published: 2026-05-19T22:00:00+00:00

References

https://github.com/apache/airflow/pull/65703

https://lists.apache.org/thread/0092sz5g520d3qqjb01wd61myqlgjtyn

http://www.openwall.com/lists/oss-security/2026/05/19/36