Unauthorized Access to Sensitive Data in Apache Airflow
CVE-2025-66388

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 15 December 2025

What is CVE-2025-66388?

A vulnerability in Apache Airflow allows authenticated users of the UI to access and view sensitive secret values that are not properly redacted in rendered templates. This flaw can potentially expose confidential information to users who lack the necessary authorization to access such data. It is highly recommended that users upgrade to version 3.1.4, which addresses and resolves this vulnerability, ensuring improved security and proper access controls.

Affected Version(s)

Apache Airflow 3.1.0 < 3.1.4

References

https://github.com/apache/airflow/pull/58772

patch

https://lists.apache.org/thread/mv9hzsx8grjf7gdlkxwppnpbt...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 15, 2025
Vulnerability Reserved
Nov 28, 2025

Credit

William Ashe

Amogh Desai

JSON