CVE-2025-66236
Received Received - Intake
Insufficient Deployment Security Assumptions in Apache Airflow Before

Publication date: 2026-04-13

Last updated on: 2026-04-17

Assigner: Apache Software Foundation

Description
Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enough, even though Airflow's intentions and security model of Airflow did not suggest different assumptions. The overall security model [1], workload isolation [2], and JWT authentication details [3] are now described in more detail. Users concerned with role isolation and following the Airflow security model of Airflow are advised to upgrade to Airflow 3.2, where several security improvements have been implemented. They should also read and follow the relevant documents to make sure that their deployment is secure enough. It also clarifies that the Deployment Manager is ultimately responsible for securing your Airflow deployment. This had also been communicated via Airflow 3.2.0 Blog announcement [4]. [1] Security Model: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html [2] Workload isolation: https://airflow.apache.org/docs/apache-airflow/stable/security/workload.html [3] JWT Token authentication: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html [4] Airflow 3.2.0 Blog announcement: https://airflow.apache.org/blog/airflow-3.2.0/ Users are recommended to upgrade to version 3.2.0, which fixes this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66236
EUVD
EUVD-2025-209413
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache airflow From 3.0.0 (inc) to 3.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-66236 is a vulnerability in Apache Airflow related to improper masking of secrets when using a deprecated import path for the mask_secret() function.

The deprecated import path redirected the mask_secret() function to a single-process implementation that only masked secrets within the task subprocess. However, the supervisor process, which writes the logs, did not receive the masking instructions, causing secrets to remain visible in the task logs.

This means that sensitive information could be exposed in logs despite attempts to mask it.

The issue was fixed by redirecting mask_secret() to a supervisor-aware implementation that masks secrets both in the task subprocess and the supervisor process, preventing secret leakage in logs.

Compliance Impact

This vulnerability relates to the improper masking of secrets in Apache Airflow logs, which could lead to exposure of sensitive information. Such exposure can impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and proper handling of secrets.

The CVE description emphasizes that secure Airflow deployments require the Deployment Manager to take appropriate security actions and follow the security model of Airflow. Upgrading to Airflow 3.2.0 is recommended as it includes several security improvements that help ensure secrets are properly masked and workload isolation is enforced.

Failure to mask secrets properly in logs could lead to unauthorized disclosure of sensitive data, which may violate data protection requirements under regulations such as GDPR and HIPAA. Therefore, addressing this vulnerability by upgrading and following the security guidelines is important for maintaining compliance.

Impact Analysis

This vulnerability can lead to exposure of sensitive information in Airflow task logs.

If secrets are not properly masked, unauthorized users who have access to logs could see confidential data such as passwords, tokens, or other secrets.

This exposure increases the risk of data breaches, unauthorized access, and potential compromise of systems relying on those secrets.

Detection Guidance

This vulnerability involves improper masking of secrets in Apache Airflow logs when using a deprecated import path for the mask_secret() function. Detection involves checking if your Airflow deployment uses the deprecated import path `airflow.sdk.execution_time.secrets_masker` for secret masking.

One practical way to detect this issue is to review your Airflow task logs for unmasked sensitive information that should have been masked.

Additionally, you can inspect your DAG code or Python scripts for imports from the deprecated path by running a command like:

  • grep -r "airflow.sdk.execution_time.secrets_masker" /path/to/your/airflow/dags

If this import is found, your deployment is likely affected by the vulnerability.

Mitigation Strategies

The recommended immediate mitigation is to upgrade your Apache Airflow deployment to version 3.2.0 or later, where this issue has been fixed.

If upgrading immediately is not possible, review your DAGs and code to remove any usage of the deprecated import path `airflow.sdk.execution_time.secrets_masker` and instead use the supported import path `airflow.sdk.log` for the mask_secret() function.

Also, carefully review your Airflow deployment security model and workload isolation settings as described in the official Airflow documentation to ensure your deployment is secure.

Finally, monitor your logs for any exposure of secrets and avoid using deprecated APIs that could lead to secret leakage.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66236. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart