Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2a7c5a23-48cd-4bdf-4cca-e8c4035116f6@apache.org>
Date: Fri, 12 Dec 2025 09:03:55 +0000
From: Ephraim Anierobi <ephraimanierobi@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-66388: Apache Airflow: Secrets in rendered templates not
 redacted properly and exposed in the UI 

Severity: low 

Affected versions:

- Apache Airflow (apache-airflow) 3.1.0 before 3.1.4

Description:

A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization.

Users are recommended to upgrade to version 3.1.4, which fixes this issue.

Credit:

William Ashe (finder)
Amogh Desai (remediation developer)

References:

https://github.com/apache/airflow/pull/58772
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-66388

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.