CVE-2025-27555
Sensitive Data Exposure in Apache Airflow Audit Logs Pre
Publication date: 2026-02-24
Last updated on: 2026-03-11
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | airflow | to 2.11.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Apache Airflow versions before 2.11.1 and allows authenticated users who have access to audit logs to see sensitive values that they should not be able to view.
Specifically, when sensitive connection parameters were set using the Airflow CLI, these sensitive values appeared in the audit logs and were stored unencrypted in the Airflow database.
The issue is limited to users with audit log access, but it exposes confidential connection details that should remain hidden.
The vulnerability was fixed in Airflow version 2.11.1 by masking sensitive connection details during connection creation, preventing their exposure in logs.
How can this vulnerability impact me? :
If you have users with audit log access, this vulnerability could lead to unauthorized disclosure of sensitive connection parameters such as passwords or tokens.
This exposure could allow malicious or unauthorized users to gain confidential information that might be used to compromise systems or data.
The risk is limited to those with audit log access, but if such access is not tightly controlled, it could lead to significant security breaches.
Upgrading to Airflow 2.11.1 or later and manually deleting existing sensitive entries from the audit log table are recommended mitigation steps.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by reviewing the audit logs in Apache Airflow for the presence of sensitive connection parameter values that were set via the airflow CLI. Since these sensitive values appear unencrypted in the audit logs and stored in the Airflow database, inspecting the log table for such entries is key.
Specifically, you can query the Airflow database's log table to identify entries containing sensitive connection details. For example, using SQL commands to search for connection-related entries in the audit logs may help detect exposure.
- Run a SQL query on the Airflow metadata database log table to find entries with connection parameters, e.g.: SELECT * FROM log WHERE event LIKE '%connection%' OR message LIKE '%connection%';
- Check audit logs for any plaintext sensitive values that should not be visible.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Apache Airflow to version 2.11.1 or later, where this vulnerability has been addressed by masking sensitive connection details in logs.
Additionally, users who previously set connections via the CLI should manually delete entries containing sensitive connection values from the audit log table in the Airflow database to remove exposed data.
This update was implemented in a pull request that masks sensitive details during connection creation, preventing future exposure.