CVE-2025-66236

CWE-532 — Log File Information Exposure4 documents4 sources

Severity

—N/A

No vector

EPSS

No EPSS data

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow

Timeline

PublishedApr 13

Description

Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enough, even though Airflow's intentions and security model of Airflow did not suggest different assumptions. The overall security model [1], workload isolation [2], and JWT authentication details [3] are now described in mor…

Affected Packages1 packages

▶CVEListV5apache_software_foundation/apache_airflow3.0.0 — 3.2.0

🔴Vulnerability Details

CVEList

Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI↗2026-04-13

▶

VulDB

Apache Airflow up to 3.1.x Deployment Manager log file↗2026-04-13

▶

GHSA

GHSA-j86x-fwp2-qh7v: Before Airflow 3↗2026-04-13

▶