Description
The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidentaly logged to logs, those values could be seen in the logs. Azure Service Bus used those properties to store sensitive values. Possibly other providers could be also affected if they used the same fields to store sensitive data.

If you used Azure Service Bus connection with those values set or if you have other connections with those values storing sensitve values, you should upgrade Airflow to 3.1.8
Published: 2026-04-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data exposure via exposed connection strings
Action: Update Airflow
AI Analysis

Impact

The updated description confirms that the access_key and connection_string fields were not marked as sensitive names in Airflow’s secrets masker, allowing users with read permission to view these values in the Connection UI or in logs where connections are inadvertently written. The exposed data includes credentials used by Azure Service Bus and potentially other providers employing the same fields, resulting in a confidentiality compromise (CWE-200).

Affected Systems

Apache Airflow, specifically any deployment that uses Azure Service Bus connections with access_key or connection_string properties. Other providers that store sensitive data in the same fields may also be impacted. No specific version information is provided in the CNA data.

Risk and Exploitability

This is a confidentiality-only risk that requires read access to the Connection UI or logs, with no privilege escalation. The CVSS score is 6.5, indicating a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the KEV catalog, which together suggest a moderate likelihood of exploitation. Mitigation is required promptly to prevent accidental leakage of credentials. The attack vector is an authorized user with view permissions reading the UI or parsing logs.

Generated by OpenCVE AI on April 15, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Airflow to version 3.1.8 where the properties are properly marked as sensitive.
  • Re‑configure any existing connections that use access_key or connection_string to ensure sensitive data is masked and not logged.
  • Restrict view permissions on the Connection UI and logging to only necessary personnel.

Generated by OpenCVE AI on April 15, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4g48-54q2-fg7q Apache Airlfow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access
History

Fri, 17 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

Wed, 15 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow
Vendors & Products Apache
Apache airflow

Wed, 15 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidentaly logged to logs, those values could be seen in the logs. Azure Service Bus used those properties to store sensitive values. Possibly other providers could be also affected if they used the same fields to store sensitive data. If you used Azure Service Bus connection with those values set or if you have other connections with those values storing sensitve values, you should upgrade Airflow to 3.2.0. The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidentaly logged to logs, those values could be seen in the logs. Azure Service Bus used those properties to store sensitive values. Possibly other providers could be also affected if they used the same fields to store sensitive data. If you used Azure Service Bus connection with those values set or if you have other connections with those values storing sensitve values, you should upgrade Airflow to 3.1.8

Wed, 15 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidentaly logged to logs, those values could be seen in the logs. Azure Service Bus used those properties to store sensitive values. Possibly other providers could be also affected if they used the same fields to store sensitive data. If you used Azure Service Bus connection with those values set or if you have other connections with those values storing sensitve values, you should upgrade Airflow to 3.2.0.
Title Apache Airflow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access
Weaknesses CWE-200
References

Subscriptions

Apache Airflow
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-15T20:02:22.052Z

Reserved: 2026-01-30T09:13:59.458Z

Link: CVE-2026-25219

cve-icon Vulnrichment

Updated: 2026-04-15T17:24:18.117Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-15T13:16:24.343

Modified: 2026-04-17T18:37:33.230

Link: CVE-2026-25219

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:30:16Z

Weaknesses