CVE-2025-68675

HIGH

Apache Airflow <3.1.6 - Info Disclosure

Title source: llm

Description

In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed. Users are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue

References (3)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5

[Issue Tracking] https://github.com/apache/airflow/pull/59688

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2026/01/15/6

Scores

CVSS v3 7.5

EPSS 0.0003

EPSS Percentile 8.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-532

Status published

Products (2)

apache/airflow < 3.1.6

pypi/apache-airflow 0 - 3.1.6PyPI

Published Jan 16, 2026

Tracked Since Feb 18, 2026