Home

Description

A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization. Users are recommended to upgrade to version 3.1.4, which fixes this issue.

PUBLISHED Reserved 2025-11-28 | Published 2025-12-15 | Updated 2025-12-15 | Assigner apache

Problem types

CWE-201 Insertion of Sensitive Information Into Sent Data

Product status

Default status
unaffected

3.1.0 (semver) before 3.1.4
affected

Credits

William Ashe finder

Amogh Desai remediation developer

References

www.openwall.com/lists/oss-security/2025/12/12/1

github.com/apache/airflow/pull/58772 patch

lists.apache.org/thread/mv9hzsx8grjf7gdlkxwppnpbtogtls2g vendor-advisory

cve.org (CVE-2025-66388)

nvd.nist.gov (CVE-2025-66388)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.