Sensitive Data Exposure in Apache Airflow by The Apache Software Foundation
CVE-2025-68438

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 16 January 2026

What is CVE-2025-68438?

In earlier versions of Apache Airflow, rendered templates may inadvertently expose sensitive data in plain text due to insufficient masking mechanisms. When template fields exceed the specified limit, the serialization process fails to adequately secure sensitive information, leading to its potential display in the Rendered Templates UI. This is attributed to the use of a secrets masker that does not encompass all user-defined masking patterns, resulting in a lack of reliable protection before data display. Users are advised to update to version 3.1.6 or later to mitigate this risk.

Affected Version(s)

Apache Airflow 3.1.0 < 3.1.6

References

https://lists.apache.org/thread/55n7b4nlsz3vo5n4h5lrj9bfs...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 16, 2026
Vulnerability Reserved
Dec 17, 2025

Credit

William Ashe

Amogh Desai

JSON