Sensitive Information Exposure in Apache Airflow 3.0.3
CVE-2025-54831

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 26 September 2025

What is CVE-2025-54831?

In Apache Airflow version 3.0.3, a change intended to limit access to sensitive connection fields was improperly implemented, allowing users with READ permissions to access sensitive connection information through both the API and the user interface. This unintended exposure overrides the AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS configuration, compromising sensitive data security. Users of Airflow 3.0.3 should update to version 3.0.4 or later to mitigate this vulnerability, as Airflow 2.x does not experience this issue due to the intended behavior of sensitive field access.

Affected Version(s)

Apache Airflow 3.0.3

References

https://lists.apache.org/thread/vblmfqtydrp5zgn2q8tj3slk5...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 26, 2025
Vulnerability Reserved
Jul 30, 2025

JSON