CVE-2022-27949 - Unmasking Secrets in Apache Airflow – A Hands-On Deep Dive

CVE-2022-27949 is a security flaw found in Apache Airflow's web interface, which lets attackers read unmasked (i.e., real, plain-text) secrets in rendered template values for tasks that were _not executed_. This typically happens when tasks are skipped because previous runs failed or dependencies are unmet. The bug affects Apache Airflow versions prior to 2.3.1.

> If you use Airflow to automate things and store secrets, your secrets could be exposed to anyone with access to the UI.

How Does the Vulnerability Work?

Airflow uses Jinja templating to render parameters, which often include sensitive info (like passwords or API tokens). Normally, Airflow tries to hide (mask) these values using a filter. However, for tasks that haven't run (for example, skipped due to failed dependencies), the UI still renders the template’s raw values, ignoring the masking logic.

Imagine you have this in your DAG

from airflow import DAG
from airflow.operators.bash import BashOperator
from datetime import datetime

with DAG("secret_leak_demo", schedule_interval="@daily", start_date=datetime(2022, 1, 1)) as dag:
    t1 = BashOperator(
        task_id="say_secret",
        bash_command="echo {{ var.value.my_super_secret }}"
    )

Suppose my_super_secret is an Airflow Variable containing something sensitive, like an AWS token.

If say_secret is skipped (didn’t run because another task failed), an attacker who can view the Airflow webserver can go to Task Instance Detail -> Rendered Template and see the actual value of my_super_secret unmasked.

Observe: The secret appears in plain text.

Screenshot

(Image omitted here, but you would see a line like:)

echo s3cr3tAWSkey

Instead of something masked like

echo 

Impact: How Bad Is This?

- High Severity: Anyone with Airflow UI access (user, admin, even service accounts!) can read secrets for unrun/skipped tasks.

Common Use: Secrets are often injected via variables or connections in Airflow.

- Not Escalation: This bug does _not_ grant access to people who do not already have access. But if you’re using RBAC and have many users, even "read-only" accounts could see secrets.

1. Upgrade Airflow

The best fix is to upgrade to Apache Airflow 2.3.1 or later.

pip install --upgrade "apache-airflow"

or

pip install apache-airflow==2.3.1

Restrict UI access: Make sure only trusted users can access Airflow UI.

- Review Roles: Use Airflow’s Role-Based Access Control (RBAC) to limit who can see tasks and rendered templates.
- Mask variables: Don’t store plain secrets in variables, or at least don’t use them in unmasked templates.

References

- Apache Airflow CVE-2022-27949 Security Advisory (Official)
- NVD CVE-2022-27949 Record
- Airflow Jira Issue (AIRFLOW-802)
- Patch Commit on GitHub
- BleepingComputer Article


Want to stay safe?  
Update Airflow, review access to your web UI, and be careful where secrets go in template code! If you find yourself on an older Airflow version, treat anyone with UI access as _potentially having all your secrets_.

Timeline

Published on: 11/14/2022 10:15:00 UTC
Last modified on: 11/16/2022 18:52:00 UTC