3.2.0
3.2.0
3.2.0
CVE-2025-66236 impacts Apache Airflow versions 3.0.0 through 3.2.0. This vulnerability arises from a lack of clarity in Airflow's documentation concerning secure deployment practices. This ambiguity could lead to Deployment Managers making incorrect assumptions about Airflow's security model, potentially compromising workload isolation and JWT authentication. A fix is available in version 3.2.0.
The core of this vulnerability lies in the potential for misconfiguration due to unclear documentation. Deployment Managers, responsible for setting up and maintaining Airflow environments, might inadvertently make assumptions that contradict Airflow's intended security model. This could manifest in several ways, including inadequate workload isolation, where tasks from different users or systems can interfere with each other. Furthermore, improper JWT authentication configuration could allow unauthorized access to sensitive data and resources. The blast radius extends to any Airflow deployment where these assumptions are made, potentially exposing sensitive data and disrupting critical workflows. While not a direct code execution vulnerability, the misconfigurations it enables can be exploited to achieve similar outcomes.
This vulnerability is not currently listed on KEV. The EPSS score is likely low, as it relies on misconfiguration rather than a direct exploit. No public proof-of-concept (PoC) code is currently available. The vulnerability was publicly disclosed on 2026-04-13.
Organizations deploying Apache Airflow in production, particularly those relying on Deployment Managers or automated deployment pipelines, are at risk. Legacy Airflow deployments with minimal security oversight and those using shared hosting environments are also particularly vulnerable.
disclosure
エクスプロイト状況
EPSS
0.11% (29% パーセンタイル)
The primary mitigation for CVE-2025-66236 is to upgrade to Apache Airflow version 3.2.0 or later, which includes improved documentation and clarifies the expected security model. Prior to upgrading, carefully review Airflow's documentation on workload isolation and JWT authentication to ensure your deployment adheres to best practices. If upgrading is not immediately feasible, thoroughly review your existing Airflow deployment configuration, paying close attention to user roles, permissions, and authentication mechanisms. Consider implementing stricter access controls and auditing to detect any potential misconfigurations. After upgrading, confirm the fix by reviewing the Airflow documentation and verifying that workload isolation and JWT authentication are configured according to best practices.
Actualice Apache Airflow a la versión 3.2.0 o superior para evitar que los secretos de la configuración se registren en texto plano en la interfaz de usuario de los registros de ejecución de DAG. Revise la documentación de seguridad de Airflow para asegurar una configuración segura.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-66236 affects Apache Airflow versions 3.0.0–3.2.0 and arises from unclear documentation regarding secure deployment practices, potentially leading to misconfigurations impacting workload isolation and JWT authentication.
If you are running Apache Airflow versions 3.0.0 through 3.2.0, you are potentially affected. Review your deployment configuration and upgrade to 3.2.0 to mitigate the risk.
Upgrade to Apache Airflow version 3.2.0 or later. Review the documentation on workload isolation and JWT authentication to ensure proper configuration.
There are no confirmed reports of active exploitation at this time, but the potential for misconfiguration remains a risk.
Refer to the Apache Airflow security page for updates and advisories: https://airflow.apache.org/security/
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。