Apache Airflow exposes secret values to authenticated UI users via rendered templates

GHSA-fv47-pqh6-wxgq · BIT-airflow-2025-66388 · CVE-2025-66388 · PYSEC-2025-86

Published Dec 15, 2025 · Modified Jun 5, 2026

Description

A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization.

Users are recommended to upgrade to version 3.1.4, which fixes this issue.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-66388
WEB https://github.com/apache/airflow/pull/58767
WEB https://github.com/apache/airflow/pull/58772
PACKAGE https://github.com/apache/airflow
WEB https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2025-86.yaml
WEB https://lists.apache.org/thread/mv9hzsx8grjf7gdlkxwppnpbtogtls2g
WEB http://www.openwall.com/lists/oss-security/2025/12/12/1

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes