oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-27555: Apache Airflow: Connection Secrets not masked in UI when Connection are added via Airflow cli

From: Jarek Potiuk <potiuk () apache org>
Date: Mon, 23 Feb 2026 15:47:04 +0000
Severity: low 

Affected versions:

- Apache Airflow (apache-airflow) before 2.11.1

Description:

Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see 
sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow 
CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While 
this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.11.1 or a later version, 
which addresses this issue. Users who previously used the CLI to set connections should manually delete entries with 
those connection sensitive values from the log table. This is similar but not the same issue as CVE-2024-50378

Credit:

sw0rd1ight (finder)

References:

https://github.com/apache/airflow/pull/61882
https://www.apache.org/security/
https://www.cve.org/CVERecord?id=CVE-2025-27555
Previous By Date Next
Previous By Thread Next

Current thread: