CVE-2025-68438
Severity
7.5HIGH
EPSS
0.0%
top 94.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJan 16
Description
In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display.
Users are recommended to upgrade to 3.1.6 or later, which fixes this issue
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages3 packages
🔴Vulnerability Details
3CVEList▶
Apache Airflow: Secrets in rendered templates could contain parts of sensitive values when truncated↗2026-01-16
OSV▶
Apache Airflow secrets in rendered templates could contain parts of sensitive values when truncated↗2026-01-16
GHSA▶
Apache Airflow secrets in rendered templates could contain parts of sensitive values when truncated↗2026-01-16