Security Oversights in Apache Airflow Deployment Management
CVE-2025-66236

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 13 April 2026

What is CVE-2025-66236?

Prior to Apache Airflow version 3.2.0, there were ambiguities regarding the security responsibilities of the Deployment Manager, which could lead to improper security practices. Users may have had unclear assumptions about security measures necessary for a secure deployment of Airflow. The security model, including workload isolation and JWT authentication intricacies, has since been detailed more explicitly in the new version. To ensure robust security and compliance with Airflow's security model, users should upgrade to version 3.2.0 and adhere to the updated guidelines provided in documentation and blog announcements.

Affected Version(s)

Apache Airflow 3.0.0 < 3.2.0

References

https://github.com/apache/airflow/pull/58662

patch

https://lists.apache.org/thread/g8fyy1tkmxkkfk7tx2v6h8mvw...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 13, 2026
Vulnerability Reserved
Nov 25, 2025

Credit

Saurabh Banawar

Amogh Desai

CVE-2025-66236 Data

JSON