Description
In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed. Users are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue
References (3)
Core 3
Core References
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5
Issue Tracking patch
https://github.com/apache/airflow/pull/59688
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/01/15/6
Scores
CVSS v3
7.5
EPSS
0.0198
EPSS Percentile
77.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-532
Status
published
Products (3)
apache/airflow
< 3.1.6
pypi/apache-airflow
0 - 2.11.1PyPI
pypi/apache-airflow
3.0.0b1 - 3.1.6PyPI
Published
Jan 16, 2026
Tracked Since
Feb 18, 2026