Sensitive Data Exposure in Apache Airflow Products by Vendor Apache
CVE-2026-25219

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-25219?

The Apache Airflow configuration regarding connection properties for services like Azure Service Bus lacks appropriate sensitivity markers. As a result, sensitive information such as access keys and connection strings can be inadvertently disclosed to users with read permissions. This exposure can occur in both the Connection UI and system logs, allowing unauthorized visibility of confidential data. Organizations are urged to update their Airflow installations to version 3.1.8 or later to safeguard sensitive information stored in connection properties.

Affected Version(s)

Apache Airflow 0 < 3.1.8

References

https://github.com/apache/airflow/pull/61580

patch

https://github.com/apache/airflow/pull/61582

patch

https://lists.apache.org/thread/t4dlmqkn0njz4chk3g7mdgzb9...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Jan 30, 2026

Credit

Saurabh Banawar

CVE-2026-25219 Data

JSON