Multiple vulnerabilities in Apache Airflow versions prior to 3.1.6 could lead to the exposure of sensitive credentials through task logs and the web interface. The issues are caused by improper masking of secrets during logging and template rendering.
These flaws may expose proxy credentials, database passwords, API keys, and other secrets in production environments.
Vulnerability Summary
| CVE ID | Affected Versions | Severity | Exposure Location |
|---|---|---|---|
| CVE-2025-68675 | < 3.1.6 | Low | Task logs |
| CVE-2025-68438 | 3.1.0 – 3.1.6 | Low | Rendered Templates UI |
Proxy Credentials Exposure via Task Logs
The first issue affects how Apache Airflow handles proxy configurations inside Connection objects. Proxy URLs can include embedded authentication details, such as usernames and passwords.
These proxy fields were not marked as sensitive, which prevented Airflow’s automatic masking from hiding credentials when connections were rendered or logged during task execution. As a result, proxy credentials could appear in plain text within task logs.
Since task logs are often accessible to multiple users and stored in centralized logging systems, this creates a risk of credential misuse and unauthorized access.
The second vulnerability impacts the Rendered Templates section of the Airflow web UI. When templated fields exceed the configured size limit, the masking process may not apply custom secret-masking rules correctly.
This can cause sensitive values, such as API keys or database passwords, to be partially displayed in clear text in the UI. Any user with access to the Airflow web interface could potentially view these exposed values.
Although both issues require authenticated access, they introduce insider-threat risks and can support lateral movement within environments. Long log retention policies can extend exposure if leaked credentials remain stored in archived logs.
Mitigation and Recommendation
Apache Airflow version 3.1.6 resolves both issues by properly classifying proxy fields as sensitive and ensuring secret-masking rules are applied before data is rendered or truncated.
Organizations are strongly advised to upgrade as soon as possible. If immediate upgrades are not feasible, restricting access to task logs and the Airflow web UI can help reduce exposure.
Leave A Comment