CVE-2026-42526
Description
In the AWS Secrets Manager and SSM Parameter Store secrets backends of apache-airflow-providers-amazon prior to 9.28.0, the team-scoping logic could resolve a conn_id containing a / (e.g. "my_team/conn") to the same path as another team's team-scoped secret when the caller had no team context. A privileged caller without team context could therefore retrieve another team's secret by crafting a colliding conn_id. Fixed in 9.28.0 by switching the team-scope separator to -- and rejecting team-shaped conn_ids when team context is absent. Affects the experimental multi-tenant teams feature only. Users are recommended to upgrade to apache-airflow-providers-amazon 9.28.0, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-airflow-providers-amazonPyPI | < 9.28.0 | 9.28.0 |
Affected products
2- Range: <9.28.0
Patches
Vulnerability mechanics
References
5News mentions
0No linked articles in our index yet.