Description
Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enough, even though Airflow's intentions and security model of Airflow did not suggest different assumptions. The overall security model [1], workload isolation [2], and JWT authentication details [3] are now described in more detail. Users concerned with role isolation and following the Airflow security model of Airflow are advised to upgrade to Airflow 3.2, where several security improvements have been implemented. They should also read and follow the relevant documents to make sure that their deployment is secure enough. It also clarifies that the Deployment Manager is ultimately responsible for securing your Airflow deployment. This had also been communicated via Airflow 3.2.0 Blog announcement [4].

[1] Security Model: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html
[2] Workload isolation: https://airflow.apache.org/docs/apache-airflow/stable/security/workload.html
[3] JWT Token authentication: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html
[4] Airflow 3.2.0 Blog announcement: https://airflow.apache.org/blog/airflow-3.2.0/



Users are recommended to upgrade to version 3.2.0, which fixes this issue.
Published: 2026-04-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Confidential Information Disclosure
Action: Immediate Upgrade
AI Analysis

Impact

The vulnerability permits secrets from the Airflow configuration file to be logged in plain text within DAG run logs shown in the Airflow web UI. An attacker who can view these logs could recover sensitive credentials, potentially enabling further compromise of the underlying infrastructure. This causes a confidentiality breach of configuration data and is categorized as CWE‑532. Based on the description, it is inferred that any user with permission to view DAG run logs can see the secrets; the specific attack vector is not explicitly stated but log access appears to be the primary path.

Affected Systems

Apache Airflow from the Apache Software Foundation is affected. All releases earlier than version 3.2.0 are impacted because the fix was introduced in that release; no later sub‑versions are mentioned.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity. EPSS is < 1%, suggesting a low probability of widespread exploitation, and the vulnerability is not listed in CISA KEV. The exposure of credentials remains a serious confidentiality breach. The likely exploitation path is through authorized UI access to DAG run logs, inferred from log exposure in the UI. No public exploits are known, but logged secrets could be leveraged once an adversary gains or cannot restrict log visibility.

Generated by OpenCVE AI on April 15, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Airflow to version 3.2.0 or later.
  • Follow the updated security model and workload isolation guidelines as described in the Airflow documentation.
  • Rotate any credentials that may have been logged before the upgrade.
  • Restrict DAG run log visibility in the Airflow UI to users with legitimate need, following the principle of least privilege.

Generated by OpenCVE AI on April 15, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j86x-fwp2-qh7v Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI
History

Fri, 17 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

Wed, 15 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow
Vendors & Products Apache
Apache airflow

Mon, 13 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
References

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enough, even though Airflow's intentions and security model of Airflow did not suggest different assumptions. The overall security model [1], workload isolation [2], and JWT authentication details [3] are now described in more detail. Users concerned with role isolation and following the Airflow security model of Airflow are advised to upgrade to Airflow 3.2, where several security improvements have been implemented. They should also read and follow the relevant documents to make sure that their deployment is secure enough. It also clarifies that the Deployment Manager is ultimately responsible for securing your Airflow deployment. This had also been communicated via Airflow 3.2.0 Blog announcement [4]. [1] Security Model: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html [2] Workload isolation: https://airflow.apache.org/docs/apache-airflow/stable/security/workload.html [3] JWT Token authentication: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html [4] Airflow 3.2.0 Blog announcement: https://airflow.apache.org/blog/airflow-3.2.0/ Users are recommended to upgrade to version 3.2.0, which fixes this issue.
Title Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI
Weaknesses CWE-532
References

Subscriptions

Apache Airflow
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-15T20:03:37.134Z

Reserved: 2025-11-25T16:03:35.709Z

Link: CVE-2025-66236

cve-icon Vulnrichment

Updated: 2026-04-13T16:26:55.846Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T15:17:05.953

Modified: 2026-04-17T18:41:33.837

Link: CVE-2025-66236

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:30:16Z

Weaknesses