Apache Airflow Vulnerabilities Expose Sensitive Data Leak

Multiple vulnerabilities in Apache Airflow versions preceding 3.1.6 can expose sensitive authentication credentials and secrets within logs and user interfaces.

Both issues stem from inadequate masking of sensitive data during rendering and logging operations, potentially compromising proxy credentials and database secrets in production environments.

Proxy Credentials Leak in Task Logs

The first vulnerability, CVE-2025-68675, affects all versions of Apache Airflow before 3.1.6. The flaw resides in how Airflow handles proxy configurations within Connection objects.

Proxy URLs often contain embedded authentication credentials in the format http://username:password@proxy-host:port.

However, the proxies and proxy fields were not marked as sensitive, preventing Airflow’s automatic log masking from obfuscating these credentials when connections are rendered or logged during task execution.

This creates a significant exposure vector because task logs are frequently accessed by multiple team members, stored in centralized logging systems, and archived for compliance purposes.

An attacker or unauthorized user with read access to logs could extract proxy credentials and leverage them to intercept or redirect network traffic from affected workflows.

Organizations running tasks that utilize proxy-authenticated connections face a heightened risk of credential compromise.

Secrets Exposure in UI

CVE-2025-68438 introduces a different but equally problematic exposure path.

When rendered template fields exceed the configured [core] max_templated_field_length threshold, the serialization process uses a secrets masker instance that lacks user-registered mask_secret() patterns.

This means that custom-registered secret patterns are not applied before field truncation and are displayed in the Rendered Templates UI.

Consequently, sensitive values stored in templated fields, such as API keys, database passwords, or encrypted tokens, may appear in cleartext in the web interface.

The truncation operation occurs after serialization but before masking completion, exposing portions of secrets to any user with access to the Airflow web UI.

Both vulnerabilities require authentication to the Airflow environment, but also represent insider threats and lateral movement risks.

Organizations with strict log retention policies face extended exposure windows, as leaked credentials may remain accessible in archived logs indefinitely.

Apache Airflow 3.1.6 addresses both issues by properly designating proxy fields as sensitive and ensuring user-registered mask patterns apply before template truncation.

All affected users should upgrade immediately. For environments unable to upgrade promptly, implementing restrictive access controls on log systems and the Airflow web UI provides temporary mitigation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.