Apache Airflow secrets in rendered templates could contain parts of sensitive values when truncated

GHSA-3qmm-r55x-hpxx · BIT-airflow-2025-68438 · CVE-2025-68438 · PYSEC-2026-9

Published Jan 16, 2026 · Modified Jun 5, 2026

Description

In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display.

Users are recommended to upgrade to 3.1.6 or later, which fixes this issue

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-68438
PACKAGE https://github.com/apache/airflow
WEB https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-9.yaml
WEB https://lists.apache.org/thread/55n7b4nlsz3vo5n4h5lrj9bfsk8ctyff
WEB http://www.openwall.com/lists/oss-security/2026/01/15/5

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes