Apache Airflow: Secrets in rendered templates not redacted properly and...

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization.

Users are recommended to upgrade to version 3.1.4, which fixes this issue.

Basic Information

ID CVE-2025-66388

Source apache

Published Dec 15, 2025 at 11:30

Modified Dec 16, 2025 at 21:46

Affected Product

Vendor Apache Software Foundation

Product Apache Airflow

Version 3.1.0

Affected Versions Apache Software Foundation Apache Airflow 3.1.0

CWE Classification

CWE-201

References

{
    "lastseen": "",
    "description": "A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted,\u00a0potentially exposing secrets to users without the appropriate authorization.\n\nUsers are recommended to upgrade to version 3.1.4, which fixes this issue.",
    "published": "2025-12-15T11:30:44.355Z",
    "modified": "2025-12-16T21:46:50.021Z",
    "type": "cve",
    "title": "Apache Airflow: Secrets in rendered templates not redacted properly and exposed in the UI",
    "source": "apache",
    "references": "https://github.com/apache/airflow/pull/58772\nhttps://lists.apache.org/thread/mv9hzsx8grjf7gdlkxwppnpbtogtls2g",
    "id": "CVE-2025-66388",
    "bulletinFamily": "",
    "cwe": [
        "CWE-201"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Airflow 3.1.0",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Airflow",
    "version": "3.1.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Apache Airflow: Secrets in rendered templates not redacted properly and exposed in the UI_CVE-2025-66388