CVE-2026-30912 — Apache Airflow exposes SQL stack trace despite "api/expose_stack_traces" set to

Description

In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.

How to fix CVE-2026-30912

To remediate CVE-2026-30912, upgrade the affected package to a fixed version below.

—upgrade to 3.2.0 or later
—upgrade to 3.2.0 or later
—upgrade to 3.2.0 or later

Is CVE-2026-30912 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 3.2.0
from 0, < 3.2.0
from 0, < 3.2.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-30912
WEBgithub.com/apache/airflow
WEBgithub.com/apache/airflow/pull/63028
WEBgithub.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-18.yaml
WEB