GHSA-g9qc-qf28-hhqxMediumCVSS 5.3

Apache Airflow Amazon provider: Prevent unauthorized access to team-scoped secrets in AWS Secrets Manager and SSM Parameter Store backends

Published
May 19, 2026
Last Modified
June 5, 2026

🔗 CVE IDs covered (1)

📋 Description

In the AWS Secrets Manager and SSM Parameter Store secrets backends of apache-airflow-providers-amazon prior to 9.28.0, the team-scoping logic could resolve a conn_id containing a / (e.g. "my_team/conn") to the same path as another team's team-scoped secret when the caller had no team context. A privileged caller without team context could therefore retrieve another team's secret by crafting a colliding conn_id. Fixed in 9.28.0 by switching the team-scope separator to -- and rejecting team-shaped conn_ids when team context is absent. Affects the experimental multi-tenant teams feature only. Users are recommended to upgrade to apache-airflow-providers-amazon 9.28.0, which fixes the issue.

🎯 Affected products1

  • pip/apache-airflow-providers-amazon:< 9.28.0

🔗 References (5)