CVE-2025-65995

MEDIUM

Airflow <3.1.4/2.11.1 - Info Disclosure

Title source: llm

Description

When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG. The issue has been fixed in Airflow 3.1.4 and 2.11.1, and users are strongly advised to upgrade to prevent potential disclosure of sensitive information.

References (4)

Core 4

Core References

Issue Tracking patch

https://github.com/apache/airflow/pull/58252

Mailing List vendor-advisory

https://lists.apache.org/thread/1qzlrjo2wmlzs0rrgzgslj2pzkor0dr2

Issue Tracking patch

https://github.com/apache/airflow/pull/61883

Mailing List

http://www.openwall.com/lists/oss-security/2025/12/12/2

Scores

CVSS v3 6.5

EPSS 0.0080

EPSS Percentile 51.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-209

Status published

Products (2)

apache/airflow < 2.11.1

pypi/apache-airflow 0 - 2.11.1PyPI

Published Feb 21, 2026

Tracked Since Feb 21, 2026