CVE-2025-27555
Received Received - Intake
Sensitive Data Exposure in Apache Airflow Audit Logs Pre

Publication date: 2026-02-24

Last updated on: 2026-03-11

Assigner: Apache Software Foundation

Description
Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.11.1 or a later version, which addresses this issue. Users who previously used the CLI to set connections should manually delete entries with those connection sensitive values from the log table. This is similar but not the same issue as CVE-2024-50378
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-15
NVD
CVE-2025-27555
EUVD
EUVD-2025-207547
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache airflow to 2.11.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Apache Airflow versions before 2.11.1 and allows authenticated users who have access to audit logs to see sensitive values that they should not be able to view.

Specifically, when sensitive connection parameters were set using the Airflow CLI, these sensitive values appeared in the audit logs and were stored unencrypted in the Airflow database.

The issue is limited to users with audit log access, but it exposes confidential connection details that should remain hidden.

The vulnerability was fixed in Airflow version 2.11.1 by masking sensitive connection details during connection creation, preventing their exposure in logs.

Impact Analysis

If you have users with audit log access, this vulnerability could lead to unauthorized disclosure of sensitive connection parameters such as passwords or tokens.

This exposure could allow malicious or unauthorized users to gain confidential information that might be used to compromise systems or data.

The risk is limited to those with audit log access, but if such access is not tightly controlled, it could lead to significant security breaches.

Upgrading to Airflow 2.11.1 or later and manually deleting existing sensitive entries from the audit log table are recommended mitigation steps.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by reviewing the audit logs in Apache Airflow for the presence of sensitive connection parameter values that were set via the airflow CLI. Since these sensitive values appear unencrypted in the audit logs and stored in the Airflow database, inspecting the log table for such entries is key.

Specifically, you can query the Airflow database's log table to identify entries containing sensitive connection details. For example, using SQL commands to search for connection-related entries in the audit logs may help detect exposure.

  • Run a SQL query on the Airflow metadata database log table to find entries with connection parameters, e.g.: SELECT * FROM log WHERE event LIKE '%connection%' OR message LIKE '%connection%';
  • Check audit logs for any plaintext sensitive values that should not be visible.
Mitigation Strategies

The primary mitigation step is to upgrade Apache Airflow to version 2.11.1 or later, where this vulnerability has been addressed by masking sensitive connection details in logs.

Additionally, users who previously set connections via the CLI should manually delete entries containing sensitive connection values from the audit log table in the Airflow database to remove exposed data.

This update was implemented in a pull request that masks sensitive details during connection creation, preventing future exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-27555. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart