Login Sign Up

CVE-2025-66388

6.5 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability in Apache Airflow allows authenticated users with UI access to view secret values in rendered templates due to improper redaction. This exposes sensitive secrets like passwords, API keys, and tokens to users who shouldn't have access. All Apache Airflow instances with authenticated UI users are affected.

💻 Affected Systems

Products:
  • Apache Airflow
Versions: Versions before 3.1.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects instances with authenticated UI users; anonymous access configurations are not vulnerable.

📦 What is this software?

Airflow by Apache

View all CVEs affecting Airflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to all secrets stored in Airflow, leading to complete compromise of connected systems, databases, and external services.

🟠

Likely Case

Internal users accidentally or intentionally view secrets they shouldn't access, leading to data exposure and potential privilege escalation.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to authorized users who might still see secrets beyond their intended scope.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated UI access and involves viewing rendered templates in the Airflow UI.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.4

Vendor Advisory: https://lists.apache.org/thread/mv9hzsx8grjf7gdlkxwppnpbtogtls2g

Restart Required: Yes

Instructions:

1. Backup your Airflow configuration and database. 2. Upgrade Apache Airflow to version 3.1.4 using pip: 'pip install apache-airflow==3.1.4'. 3. Restart all Airflow services (webserver, scheduler, workers). 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Restrict UI Access

all

Limit UI access to only trusted administrators who require it for operations.

Disable Template Rendering

all

Disable the template rendering feature in the UI if not required for your workflows.

🧯 If You Can't Patch

  • Rotate all secrets stored in Airflow immediately to limit exposure.
  • Implement strict access controls and audit logs for UI access to detect unauthorized viewing.

🔍 How to Verify

Check if Vulnerable:

Check your Apache Airflow version; if it's below 3.1.4, you are vulnerable. Authenticated users can test by viewing rendered templates in the UI to see if secrets are redacted.

Check Version:

airflow version

Verify Fix Applied:

After upgrading to 3.1.4, verify that secret values are properly redacted in rendered templates when viewed by authenticated users in the UI.

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to template rendering endpoints in Airflow webserver logs.
  • Multiple failed or successful attempts to view rendered templates by non-admin users.

Network Indicators:

  • Increased traffic to Airflow UI endpoints related to template rendering.

SIEM Query:

source="airflow_webserver.log" AND ("rendered" OR "template") AND user!="admin"

📊 Metadata

CVE ID: CVE-2025-66388
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-201
EPSS Score: 0.03% exploit probability (9.4th percentile)
Published: December 15, 2025
Last Updated: December 16, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66388, you might also want to check these:

CVE-2020-27127 9.9

This critical vulnerability in Cisco Jabber allows attackers to execute arbitrary code with elevated...

Same vulnerability type (CWE-201)
CVE-2020-27133 9.9

CVE-2020-27133 is a critical vulnerability in Cisco Jabber that allows attackers to execute arbitrar...

Same vulnerability type (CWE-201)
CVE-2020-26085 9.9

This critical vulnerability in Cisco Jabber allows attackers to execute arbitrary programs with elev...

Same vulnerability type (CWE-201)