Security Oversights in Apache Airflow Deployment Management
CVE-2025-66236

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 13 April 2026

What is CVE-2025-66236?

Prior to Apache Airflow version 3.2.0, there were ambiguities regarding the security responsibilities of the Deployment Manager, which could lead to improper security practices. Users may have had unclear assumptions about security measures necessary for a secure deployment of Airflow. The security model, including workload isolation and JWT authentication intricacies, has since been detailed more explicitly in the new version. To ensure robust security and compliance with Airflow's security model, users should upgrade to version 3.2.0 and adhere to the updated guidelines provided in documentation and blog announcements.

Affected Version(s)

Apache Airflow 3.0.0 < 3.2.0

References

https://github.com/apache/airflow/pull/58662

patch

https://lists.apache.org/thread/g8fyy1tkmxkkfk7tx2v6h8mvw...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 13, 2026
Vulnerability Reserved
Nov 25, 2025

Credit

Saurabh Banawar

Amogh Desai

CVE-2025-66236 Data

JSON