CVE-2025-68675 – Apache Airflow versions before 3.1.6 expose pro... (How to Fix)

Q: What is the severity of CVE-2025-68675?

CVE-2025-68675 has a CVSS score of 7.5 (HIGH). Apache Airflow versions before 3.1.6 expose proxy credentials in logs when connections contain proxy URLs with embedded authentication. This allows attackers with log access to steal credentials. All Airflow deployments using proxy connections with authentication are affected.

📋 TL;DR

Apache Airflow versions before 3.1.6 expose proxy credentials in logs when connections contain proxy URLs with embedded authentication. This allows attackers with log access to steal credentials. All Airflow deployments using proxy connections with authentication are affected.

💻 Affected Systems

Products:

Apache Airflow

Versions: All versions before 3.1.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using proxy connections with embedded authentication credentials in proxy URLs.

📦 What is this software?

Airflow by Apache

View all CVEs affecting Airflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain proxy credentials, pivot to internal networks, compromise sensitive systems, and potentially achieve full environment takeover.

🟠

Likely Case

Credential theft leading to unauthorized access to proxy-protected resources, data exfiltration, or lateral movement within the network.

🟢

If Mitigated

Limited to credential exposure without actual compromise if logs are properly secured and monitored.

🌐 Internet-Facing: MEDIUM - Requires log access which may be exposed via web interfaces or misconfigurations.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts can easily access logs containing credentials.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to Airflow logs where proxy connection details are printed. No special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.6 or later

Vendor Advisory: https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5

Restart Required: Yes

Instructions:

1. Backup your Airflow configuration and database. 2. Upgrade Airflow to version 3.1.6 or later using pip: 'pip install --upgrade apache-airflow==3.1.6'. 3. Restart all Airflow services (webserver, scheduler, workers). 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Disable proxy logging

all

Configure Airflow to not log connection details containing proxy URLs

Set log level to WARNING or higher for connection-related logs in airflow.cfg

Remove embedded credentials

all

Replace proxy URLs containing embedded credentials with separate credential storage

Update connections to use Airflow's secrets backend for proxy credentials instead of embedding in URLs

🧯 If You Can't Patch

Implement strict access controls on Airflow log files and directories
Monitor and alert on any access to logs containing connection or proxy information

🔍 How to Verify

Check if Vulnerable:

Check Airflow version: if below 3.1.6 and using proxy connections with embedded credentials, you are vulnerable.

Check Version:

airflow version

Verify Fix Applied:

After upgrade to 3.1.6+, test that proxy URLs in connection logs are masked (show as '***' instead of actual credentials).

📡 Detection & Monitoring

Log Indicators:

Log entries containing proxy URLs with visible username:password@ format
Connection details in logs showing unmasked authentication

Network Indicators:

Unusual proxy authentication attempts from unexpected sources

SIEM Query:

source="airflow.logs" AND ("proxy" AND ("http://" OR "https://") AND "@")

📊 Metadata

CVE ID: CVE-2025-68675

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-532

EPSS Score: 0.11% exploit probability (29th percentile)

Published: January 16, 2026

Last Updated: February 24, 2026

🔗 References

https://github.com/apache/airflow/pull/59688
https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5 Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/01/15/6 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68675, you might also want to check these: