Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAH5JyZpcppJjVPTcuQmLJMaEaJa7CsH+dAgv1DNyQwsjR25iRw@mail.gmail.com>
Date: Thu, 25 Sep 2025 17:39:23 +0100
From: Kaxil Naik <kaxilnaik@...che.org>
To: oss-security@...ts.openwall.com, users@...flow.apache.org, 
	dev@...flow.apache.org
Subject: CVE-2025-54831: Apache Airflow: Connection sensitive details exposed
 to users with READ permissions

CVE-2025-54831: Apache Airflow: Connection sensitive details exposed
to users with READ permissions


Severity: important

Affected versions:
- Apache Airflow (apache-airflow) 3.0.3

Description:

Apache Airflow 3 introduced a change to the handling of sensitive
information in Connections. The intent was to restrict access to
sensitive connection fields to Connection Editing Users, effectively
applying a "write-only" model for sensitive values.

In Airflow 3.0.3, this model was unintentionally violated: sensitive
connection information could be viewed by users with READ permissions
through both the API and the UI. This behavior also bypassed the
`AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS` configuration option.

This issue does not affect Airflow 2.x, where exposing sensitive
information to connection editors was the intended and documented
behavior.

Users of Airflow 3.0.3 are advised to upgrade Airflow to >=3.0.4.

References:
https://airflow.apache.org/https://www.cve.org/CVERecord?id=CVE-2025-54831

Content of type "text/html" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.