CVE-2026-25219
Received Received - Intake
Sensitive Data Exposure in Apache Airflow Connection Properties

Publication date: 2026-04-15

Last updated on: 2026-04-17

Assigner: Apache Software Foundation

Description
The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidentaly logged to logs, those values could be seen in the logs. Azure Service Bus used those properties to store sensitive values. Possibly other providers could be also affected if they used the same fields to store sensitive data. If you used Azure Service Bus connection with those values set or if you have other connections with those values storing sensitve values, you should upgrade Airflow to 3.1.8
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25219
EUVD
EUVD-2026-22921
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache airflow to 3.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves Apache Airflow's handling of sensitive information in connection configurations for Azure services. Specifically, the connection properties named `access_key` and `connection_string` were not marked as sensitive fields in Airflow's secrets masker.

Because these fields were not recognized as sensitive, users with only read permissions could see the actual secret values in the Connection UI and also in logs if the connection was accidentally logged. This exposed sensitive credentials such as Azure Service Bus connection strings and access keys in plaintext.

The issue was fixed by adding these keys to the list of default sensitive fields, ensuring that these values are redacted in API responses and logs, preventing unauthorized disclosure.

Impact Analysis

If you use Apache Airflow with Azure Service Bus or other Azure connections that store sensitive values in `access_key` or `connection_string` fields, this vulnerability could allow users with read-only permissions to view these secrets.

This exposure could lead to unauthorized access to your Azure resources, as attackers or unauthorized users might obtain connection strings or keys that grant access to services.

Additionally, if connection details were accidentally logged, sensitive information could be exposed in logs accessible to users without proper privileges.

To mitigate this risk, upgrading Airflow to version 3.1.8 or later is recommended, where these fields are properly redacted.

Compliance Impact

This vulnerability exposes sensitive Azure connection credentials (such as access keys and connection strings) to users with read-only permissions, potentially leading to unauthorized disclosure of sensitive data.

Such unauthorized exposure of sensitive information could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and credentials.

By allowing sensitive credentials to be visible in the UI and logs to users without sufficient privileges, the vulnerability increases the risk of data breaches and non-compliance with these regulations.

The fix implemented in Airflow 3.1.8 mitigates this risk by redacting these sensitive fields, helping organizations maintain compliance by preventing unauthorized access to secrets.

Detection Guidance

This vulnerability involves sensitive Azure connection properties (`access_key` and `connection_string`) being visible to users with read-only permissions in Apache Airflow connections and potentially exposed in logs.

To detect this vulnerability on your system, you should check if any connections in Apache Airflow contain these sensitive fields (`access_key` and `connection_string`) in their configuration and verify if these values are visible to users with read-only permissions.

You can use Airflow CLI or API commands to list connections and inspect their `extra` fields for these keys.

  • Use the Airflow CLI to list connections: `airflow connections list`
  • Inspect specific connection details for sensitive fields: `airflow connections get <connection_id>` and check if `access_key` or `connection_string` appear in the output.
  • Check Airflow logs for accidental logging of connection details that might include these sensitive fields.

If these sensitive values are visible in connection details or logs to users without sufficient privileges, the vulnerability is present.

Mitigation Strategies

The primary mitigation step is to upgrade Apache Airflow to version 3.1.8 or later, where the vulnerability is fixed by marking `access_key` and `connection_string` as sensitive fields.

This update ensures these sensitive values are automatically redacted in API responses and logs, preventing unauthorized disclosure.

  • Upgrade Airflow to version 3.1.8 or newer.
  • Review and restrict user permissions to ensure only authorized users have access to connection details.
  • Audit logs to identify any accidental exposure of sensitive connection information.

If upgrading immediately is not possible, consider manually redacting or rotating the sensitive keys stored in connections and avoid logging connection details.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25219. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart