CVE-2026-25219: Apache Airflow Secrets Leak - Versions 0.0.0-3.1.8
Platform
python
Component
apache-airflow
Fixed in
3.1.8
3.1.8
CVE-2026-25219 affects Apache Airflow, specifically concerning the handling of sensitive connection properties. This vulnerability allows users with read permissions to view sensitive data like accesskey and connectionstring within the Connection UI and potentially in application logs. Versions 0.0.0 through 3.1.8 are impacted; however, a fix has been released in version 3.1.8 to address this issue.
Detect this CVE in your project
Upload your requirements.txt file and we'll tell you instantly if you're affected.
Impact and Attack Scenarios
CVE-2026-25219 in Apache Airflow impacts how sensitive credentials are handled within connections. Specifically, the accesskey and connectionstring connection properties, often used with Azure Service Bus to store confidential information, were not marked as sensitive names in the secrets masker. This means a user with read permissions could view these values in the Connections UI. Furthermore, if a connection was accidentally logged, these sensitive values could be exposed in the logs. While Azure Service Bus is the most prominent use case, other providers utilizing these fields to store sensitive data may also be affected. The severity of this vulnerability lies in the potential exposure of credentials that could enable unauthorized access to critical resources.
Exploitation Context
An attacker with read permissions in the Connections UI could directly view the values of accesskey and connectionstring. If Airflow logs are not configured correctly, an attacker could find these values in the logs. The risk is particularly high if these credentials are used to access critical services like Azure Service Bus, as an attacker could use these credentials to compromise those services. The lack of secrets masking in the UI and logs simplifies the exploitation of this vulnerability.
Threat Intelligence
Exploit Status
EPSS
0.02% (6% percentile)
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- EPSS updated
Mitigation and Workarounds
The solution to this vulnerability is to upgrade Apache Airflow to version 3.1.8 or higher. This version corrects the issue by properly marking the accesskey and connectionstring properties as sensitive names in the secrets masker. We strongly recommend applying this upgrade as soon as possible to protect your credentials. Additionally, review your Airflow logs to identify any instances where credentials were accidentally exposed and take steps to mitigate any potential unauthorized access. Consider implementing stricter access policies for connections and limiting access to the Connections UI to authorized users only.
How to fix
Actualice Apache Airflow a la versión 3.1.8 o superior para evitar la exposición de credenciales sensibles en la interfaz de usuario y en los registros. Verifique las conexiones existentes, especialmente aquellas que utilizan Azure Service Bus, para asegurarse de que no almacenan información confidencial en los campos 'access_key' o 'connection_string'.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2026-25219 in Apache Airflow?
The secrets masker is a feature in Airflow that hides sensitive information, such as passwords and access keys, in the UI and logs.
Am I affected by CVE-2026-25219 in Apache Airflow?
Version 3.1.8 fixes the vulnerability by correctly marking sensitive properties, preventing credential exposure.
How do I fix CVE-2026-25219 in Apache Airflow?
Immediately change the affected passwords and access keys and review logs for any suspicious activity.
Is CVE-2026-25219 being actively exploited?
Implement strict access policies, regularly review your logs, and consider using secrets management solutions.
Where can I find the official Apache Airflow advisory for CVE-2026-25219?
It primarily affects connections that utilize the accesskey and connectionstring properties, especially those interacting with Azure Service Bus or other services storing sensitive data in these fields.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.