Unauthorized Access to Sensitive Data in Apache Airflow
CVE-2025-66388

4.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 15 December 2025

What is CVE-2025-66388?

A vulnerability in Apache Airflow allows authenticated users of the UI to access and view sensitive secret values that are not properly redacted in rendered templates. This flaw can potentially expose confidential information to users who lack the necessary authorization to access such data. It is highly recommended that users upgrade to version 3.1.4, which addresses and resolves this vulnerability, ensuring improved security and proper access controls.

Affected Version(s)

Apache Airflow 3.1.0 < 3.1.4

References

https://github.com/apache/airflow/pull/58772

patch

https://lists.apache.org/thread/mv9hzsx8grjf7gdlkxwppnpbt...

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 15, 2025
Vulnerability Reserved
Nov 28, 2025

Credit

William Ashe

Amogh Desai

JSON