CVE-2025-66388
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization.
Users are recommended to upgrade to version 3.1.4, which fixes this issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow | 3.1.0 < 3.1.4 | affected |
Weaknesses
- CWE-201: CWE-201 Insertion of Sensitive Information Into Sent Data
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/apache/airflow/pull/58772
- https://lists.apache.org/thread/mv9hzsx8grjf7gdlkxwppnpbtogtls2g
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.