CVE-2025-66388

Summary

A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization.

Users are recommended to upgrade to version 3.1.4, which fixes this issue.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Airflow3.1.0 < 3.1.4affected

Weaknesses

  • CWE-201: CWE-201 Insertion of Sensitive Information Into Sent Data

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References