CVE-2025-68438

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N                                    

Vulnerability Description

In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display.

Users are recommended to upgrade to 3.1.6 or later, which fixes this issue

Vulnerability Details

Published Date

January 16, 2026

Last Modified

January 21, 2026

CWE ID

CWE-200

Source

NVD

Vendor

apache

Product

airflow

External References

https://lists.apache.org/thread/55n7b4nlsz3vo5n4h5lrj9bfsk8ctyff
http://www.openwall.com/lists/oss-security/2026/01/15/5

CVE-2025-68438

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment