CVE-2026-25219
Sensitive Data Exposure in Apache Airflow Connection Properties
Publication date: 2026-04-15
Last updated on: 2026-04-17
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | airflow | to 3.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves Apache Airflow's handling of sensitive information in connection configurations for Azure services. Specifically, the connection properties named `access_key` and `connection_string` were not marked as sensitive fields in Airflow's secrets masker.
Because these fields were not recognized as sensitive, users with only read permissions could see the actual secret values in the Connection UI and also in logs if the connection was accidentally logged. This exposed sensitive credentials such as Azure Service Bus connection strings and access keys in plaintext.
The issue was fixed by adding these keys to the list of default sensitive fields, ensuring that these values are redacted in API responses and logs, preventing unauthorized disclosure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves sensitive Azure connection properties (`access_key` and `connection_string`) being visible to users with read-only permissions in Apache Airflow connections and potentially exposed in logs.
To detect this vulnerability on your system, you should check if any connections in Apache Airflow contain these sensitive fields (`access_key` and `connection_string`) in their configuration and verify if these values are visible to users with read-only permissions.
You can use Airflow CLI or API commands to list connections and inspect their `extra` fields for these keys.
- Use the Airflow CLI to list connections: `airflow connections list`
- Inspect specific connection details for sensitive fields: `airflow connections get <connection_id>` and check if `access_key` or `connection_string` appear in the output.
- Check Airflow logs for accidental logging of connection details that might include these sensitive fields.
If these sensitive values are visible in connection details or logs to users without sufficient privileges, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Apache Airflow to version 3.1.8 or later, where the vulnerability is fixed by marking `access_key` and `connection_string` as sensitive fields.
This update ensures these sensitive values are automatically redacted in API responses and logs, preventing unauthorized disclosure.
- Upgrade Airflow to version 3.1.8 or newer.
- Review and restrict user permissions to ensure only authorized users have access to connection details.
- Audit logs to identify any accidental exposure of sensitive connection information.
If upgrading immediately is not possible, consider manually redacting or rotating the sensitive keys stored in connections and avoid logging connection details.
How can this vulnerability impact me? :
If you use Apache Airflow with Azure Service Bus or other Azure connections that store sensitive values in `access_key` or `connection_string` fields, this vulnerability could allow users with read-only permissions to view these secrets.
This exposure could lead to unauthorized access to your Azure resources, as attackers or unauthorized users might obtain connection strings or keys that grant access to services.
Additionally, if connection details were accidentally logged, sensitive information could be exposed in logs accessible to users without proper privileges.
To mitigate this risk, upgrading Airflow to version 3.1.8 or later is recommended, where these fields are properly redacted.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes sensitive Azure connection credentials (such as access keys and connection strings) to users with read-only permissions, potentially leading to unauthorized disclosure of sensitive data.
Such unauthorized exposure of sensitive information could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and credentials.
By allowing sensitive credentials to be visible in the UI and logs to users without sufficient privileges, the vulnerability increases the risk of data breaches and non-compliance with these regulations.
The fix implemented in Airflow 3.1.8 mitigates this risk by redacting these sensitive fields, helping organizations maintain compliance by preventing unauthorized access to secrets.