{"schema_version": "1.6.1", "id": "CVE-2026-45192", "summary": "Incomplete Redaction of Sensitive Fields in Connection Extra API Response", "details": "A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenticated UI/API user with Connection-read permission to retrieve secrets stored in a Connection's `extra` JSON blob under field names not present in the redaction allowlist (`DEFAULT_SENSITIVE_FIELDS`) — for example, official Slack-provider credential field names were returned in plaintext. Affects deployments that store credentials in Connection `extra` blobs and grant Connection-read access to multiple users. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deployment operators can store sensitive credential values in a secret-backend rather than inlined into the Connection's `extra` field.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "0"}, {"fixed": "3.2.2"}]}]}], "references": [{"type": "WEB", "url": "https://github.com/apache/airflow/pull/66673"}, {"type": "WEB", "url": "https://lists.apache.org/thread/r2q93dg2wp5h9sd9vh6y4y5ljqd9crdd"}]}