CVE-2025-68438 – This vulnerability in Apache Airflow exposes se... (How to Fix)

Q: What is the severity of CVE-2025-68438?

CVE-2025-68438 has a CVSS score of 7.5 (HIGH). This vulnerability in Apache Airflow exposes sensitive values like passwords and API keys in cleartext in the Rendered Templates UI when template fields exceed maximum length. It affects Airflow users with custom secret masking patterns who haven't upgraded to version 3.1.6. The issue occurs because user-registered mask_secret() patterns weren't included during serialization before truncation.

📋 TL;DR

This vulnerability in Apache Airflow exposes sensitive values like passwords and API keys in cleartext in the Rendered Templates UI when template fields exceed maximum length. It affects Airflow users with custom secret masking patterns who haven't upgraded to version 3.1.6. The issue occurs because user-registered mask_secret() patterns weren't included during serialization before truncation.

💻 Affected Systems

Products:

Apache Airflow

Versions: All versions before 3.1.6

Operating Systems: All operating systems running Apache Airflow

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users who have registered custom mask_secret() patterns and have template fields exceeding max_templated_field_length.

📦 What is this software?

Airflow by Apache

View all CVEs affecting Airflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with access to the Airflow UI could extract all sensitive credentials, secrets, and API keys stored in Airflow, leading to complete system compromise and data breaches.

🟠

Likely Case

Authorized users or attackers with UI access can view exposed secrets in rendered templates, potentially gaining unauthorized access to downstream systems and services.

🟢

If Mitigated

With proper network segmentation and access controls, only authorized administrators could see exposed secrets, limiting the blast radius.

🌐 Internet-Facing: HIGH if Airflow UI is exposed to the internet, as attackers could directly access and extract sensitive data.

🏢 Internal Only: MEDIUM as internal attackers or compromised accounts could still access exposed secrets, but requires some level of network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the Airflow UI and knowledge of which DAGs have template fields exceeding length limits with sensitive data.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.6 or later

Vendor Advisory: https://lists.apache.org/thread/55n7b4nlsz3vo5n4h5lrj9bfsk8ctyff

Restart Required: Yes

Instructions:

1. Backup your Airflow configuration and database. 2. Upgrade Apache Airflow to version 3.1.6 or later using pip: 'pip install --upgrade apache-airflow==3.1.6'. 3. Restart all Airflow services including webserver, scheduler, and workers. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Reduce max_templated_field_length

all

Lower the maximum template field length to prevent fields from exceeding the limit where truncation occurs.

Set [core] max_templated_field_length to a lower value in airflow.cfg

Disable Rendered Templates UI

all

Restrict access to the Rendered Templates UI through network controls or authentication.

Configure webserver authentication or network ACLs to block access to /rendered-templates endpoints

🧯 If You Can't Patch

Implement strict access controls to limit who can access the Airflow UI
Audit all DAGs to ensure sensitive values aren't stored in template fields that could exceed length limits

🔍 How to Verify

Check if Vulnerable:

Check Airflow version and verify if custom mask_secret() patterns are used with template fields that could exceed max_templated_field_length.

Check Version:

airflow version | grep 'apache-airflow'

Verify Fix Applied:

After upgrading to 3.1.6+, test that sensitive values in template fields exceeding length limits are properly masked in the Rendered Templates UI.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to /rendered-templates endpoints
Multiple failed authentication attempts to Airflow UI

Network Indicators:

Unusual traffic to Airflow webserver from unexpected IPs
Large data extraction from Airflow UI endpoints

SIEM Query:

source="airflow-webserver" AND (uri_path="/rendered-templates" OR uri_path="/template") AND (src_ip NOT IN allowed_admin_ips)

📊 Metadata

CVE ID: CVE-2025-68438

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

EPSS Score: 0.08% exploit probability (23.9th percentile)

Published: January 16, 2026

Last Updated: January 21, 2026

🔗 References

https://lists.apache.org/thread/55n7b4nlsz3vo5n4h5lrj9bfsk8ctyff Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/01/15/5 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68438, you might also want to check these: