Primary

Context

Apache Airflow Sensitive Information Exposure Vulnerability in Connections

Vulnerability

Patched

A vulnerability in Apache Airflow 3.0.3 allows sensitive connection details to be accessed by users with READ permissions, through both the API and the UI. This issue arises from an unintended violation of a 'write-only' model for sensitive values, which was introduced in Airflow 3. The vulnerability also bypasses the 'AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS' configuration option. This issue does not affect Airflow 2.x, where the exposure of sensitive information to connection editors was intentional and documented.

Impact

The vulnerability allows unauthorized users to view sensitive connection information, which could lead to the disclosure of confidential data or credentials.

Remediation

Users of Apache Airflow 3.0.3 are advised to upgrade to version 3.0.4 or later.

Added: Sep 26, 2025, 8:20 AM

Updated: Sep 26, 2025, 3:47 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

2.5

exploitability

5.2

remediation

7.7

relevance

0.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

2.5

exploitability

5.2

remediation

7.7

relevance

0.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Airflow Sensitive Information Exposure Vulnerability in Connections

Vulnerability

Impact

Remediation

Affected Products

Apache Airflow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating