Platform
python
Component
apache-airflow
Fixed in
3.1.8
3.1.8
CVE-2026-25219 affects Apache Airflow, specifically concerning the handling of sensitive connection properties. This vulnerability allows users with read permissions to view sensitive data like accesskey and connectionstring within the Connection UI and potentially in application logs. Versions 0.0.0 through 3.1.8 are impacted; however, a fix has been released in version 3.1.8 to address this issue.
CVE-2026-25219 in Apache Airflow impacts how sensitive credentials are handled within connections. Specifically, the accesskey and connectionstring connection properties, often used with Azure Service Bus to store confidential information, were not marked as sensitive names in the secrets masker. This means a user with read permissions could view these values in the Connections UI. Furthermore, if a connection was accidentally logged, these sensitive values could be exposed in the logs. While Azure Service Bus is the most prominent use case, other providers utilizing these fields to store sensitive data may also be affected. The severity of this vulnerability lies in the potential exposure of credentials that could enable unauthorized access to critical resources.
An attacker with read permissions in the Connections UI could directly view the values of accesskey and connectionstring. If Airflow logs are not configured correctly, an attacker could find these values in the logs. The risk is particularly high if these credentials are used to access critical services like Azure Service Bus, as an attacker could use these credentials to compromise those services. The lack of secrets masking in the UI and logs simplifies the exploitation of this vulnerability.
Exploit Status
EPSS
0.02% (6% percentile)
The solution to this vulnerability is to upgrade Apache Airflow to version 3.1.8 or higher. This version corrects the issue by properly marking the accesskey and connectionstring properties as sensitive names in the secrets masker. We strongly recommend applying this upgrade as soon as possible to protect your credentials. Additionally, review your Airflow logs to identify any instances where credentials were accidentally exposed and take steps to mitigate any potential unauthorized access. Consider implementing stricter access policies for connections and limiting access to the Connections UI to authorized users only.
Actualice Apache Airflow a la versión 3.1.8 o superior para evitar la exposición de credenciales sensibles en la interfaz de usuario y en los registros. Verifique las conexiones existentes, especialmente aquellas que utilizan Azure Service Bus, para asegurarse de que no almacenan información confidencial en los campos 'access_key' o 'connection_string'.
Vulnerability analysis and critical alerts directly to your inbox.
The secrets masker is a feature in Airflow that hides sensitive information, such as passwords and access keys, in the UI and logs.
Version 3.1.8 fixes the vulnerability by correctly marking sensitive properties, preventing credential exposure.
Immediately change the affected passwords and access keys and review logs for any suspicious activity.
Implement strict access policies, regularly review your logs, and consider using secrets management solutions.
It primarily affects connections that utilize the accesskey and connectionstring properties, especially those interacting with Azure Service Bus or other services storing sensitive data in these fields.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.