Platform
python
Component
apache-airflow
Fixed in
3.2.0
3.2.0
3.2.0
CVE-2025-66236 impacts Apache Airflow versions 3.0.0 through 3.2.0. This vulnerability arises from a lack of clarity in Airflow's documentation concerning secure deployment practices. This ambiguity could lead to Deployment Managers making incorrect assumptions about Airflow's security model, potentially compromising workload isolation and JWT authentication. A fix is available in version 3.2.0.
The core of this vulnerability lies in the potential for misconfiguration due to unclear documentation. Deployment Managers, responsible for setting up and maintaining Airflow environments, might inadvertently make assumptions that contradict Airflow's intended security model. This could manifest in several ways, including inadequate workload isolation, where tasks from different users or systems can interfere with each other. Furthermore, improper JWT authentication configuration could allow unauthorized access to sensitive data and resources. The blast radius extends to any Airflow deployment where these assumptions are made, potentially exposing sensitive data and disrupting critical workflows. While not a direct code execution vulnerability, the misconfigurations it enables can be exploited to achieve similar outcomes.
This vulnerability is not currently listed on KEV. The EPSS score is likely low, as it relies on misconfiguration rather than a direct exploit. No public proof-of-concept (PoC) code is currently available. The vulnerability was publicly disclosed on 2026-04-13.
Exploit Status
EPSS
0.11% (29% percentile)
The primary mitigation for CVE-2025-66236 is to upgrade to Apache Airflow version 3.2.0 or later, which includes improved documentation and clarifies the expected security model. Prior to upgrading, carefully review Airflow's documentation on workload isolation and JWT authentication to ensure your deployment adheres to best practices. If upgrading is not immediately feasible, thoroughly review your existing Airflow deployment configuration, paying close attention to user roles, permissions, and authentication mechanisms. Consider implementing stricter access controls and auditing to detect any potential misconfigurations. After upgrading, confirm the fix by reviewing the Airflow documentation and verifying that workload isolation and JWT authentication are configured according to best practices.
Update Apache Airflow to version 3.2.0 or higher to prevent configuration secrets from being logged in plaintext in the DAG run logs UI. Review the Airflow security documentation to ensure a secure configuration.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-66236 affects Apache Airflow versions 3.0.0–3.2.0 and arises from unclear documentation regarding secure deployment practices, potentially leading to misconfigurations impacting workload isolation and JWT authentication.
If you are running Apache Airflow versions 3.0.0 through 3.2.0, you are potentially affected. Review your deployment configuration and upgrade to 3.2.0 to mitigate the risk.
Upgrade to Apache Airflow version 3.2.0 or later. Review the documentation on workload isolation and JWT authentication to ensure proper configuration.
There are no confirmed reports of active exploitation at this time, but the potential for misconfiguration remains a risk.
Refer to the Apache Airflow security page for updates and advisories: https://airflow.apache.org/security/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.