Sensitive Data Exposure in Apache Airflow UI Error Reporting
CVE-2025-65995

6.5MEDIUM

Key Information:

Vendor

Apache
Status
Apache Airflow
Vendor
CVE Published:
21 February 2026

What is CVE-2025-65995?

In Apache Airflow, an issue arises during DAG parsing where the user interface's error reporting may inadvertently expose complete keyword arguments (kwargs) passed to operators. This leak can occur if the kwargs include sensitive information, such as secrets, thereby allowing authenticated users with DAG viewing permissions to see this sensitive data in UI tracebacks. To mitigate this risk, users are strongly encouraged to upgrade to the fixed versions: Airflow 3.1.4 or 2.11.1.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Apache Airflow 3.0.0 < 3.1.4

Apache Airflow 0 < 2.11.1

References

https://github.com/apache/airflow/pull/58252
patch
https://lists.apache.org/thread/1qzlrjo2wmlzs0rrgzgslj2pz...
vendor-advisory
https://github.com/apache/airflow/pull/61883
patch

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Frieder Gottman (Cariad)
Jens Scheffler (Bosch)
Jens Scheffler (Bosch)
JSON
.