oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-54831: Apache Airflow: Connection sensitive details exposed to users with READ permissions

From: Kaxil Naik <kaxilnaik () apache org>
Date: Thu, 25 Sep 2025 17:39:23 +0100
CVE-2025-54831: Apache Airflow: Connection sensitive details exposed
to users with READ permissions


Severity: important

Affected versions:
- Apache Airflow (apache-airflow) 3.0.3

Description:

Apache Airflow 3 introduced a change to the handling of sensitive
information in Connections. The intent was to restrict access to
sensitive connection fields to Connection Editing Users, effectively
applying a "write-only" model for sensitive values.

In Airflow 3.0.3, this model was unintentionally violated: sensitive
connection information could be viewed by users with READ permissions
through both the API and the UI. This behavior also bypassed the
`AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS` configuration option.

This issue does not affect Airflow 2.x, where exposing sensitive
information to connection editors was the intended and documented
behavior.

Users of Airflow 3.0.3 are advised to upgrade Airflow to >=3.0.4.

References:
https://airflow.apache.org/https://www.cve.org/CVERecord?id=CVE-2025-54831
Previous By Date Next
Previous By Thread Next

Current thread: