CVE-2025-66388

CWE-2015 documents5 sources

Severity

6.5MEDIUM

EPSS

0.0%

top 88.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedDec 15

Description

A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization. Users are recommended to upgrade to version 3.1.4, which fixes this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDapache/airflow3.1.0 — 3.1.4

▶PyPIapache-airflow3.1.0 — 3.1.5

▶CVEListV5apache_software_foundation/apache_airflow3.1.0 — 3.1.4

🔴Vulnerability Details

GHSA

Apache Airflow exposes secret values to authenticated UI users via rendered templates↗2025-12-15

▶

OSV

Apache Airflow exposes secret values to authenticated UI users via rendered templates↗2025-12-15

▶

CVEList

Apache Airflow: Secrets in rendered templates not redacted properly and exposed in the UI↗2025-12-15

▶

🕵️Threat Intelligence

Wiz

CVE-2025-66388 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶