Apache Airflow <3.1.4 UI Secret Exposure via Unredacted Templates
CVE-2025-66388 Published on December 15, 2025
Apache Airflow: Secrets in rendered templates not redacted properly and exposed in the UI
A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization.
Users are recommended to upgrade to version 3.1.4, which fixes this issue.
Vulnerability Analysis
CVE-2025-66388 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
Insertion of Sensitive Information Into Sent Data
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. Sensitive information could include data that is sensitive in and of itself (such as credentials or private messages), or otherwise useful in the further exploitation of the system (such as internal file system structure).
Products Associated with CVE-2025-66388
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-66388 are published in Apache AirFlow:
Affected Versions
Apache Software Foundation Apache Airflow:- Version 3.1.0 and below 3.1.4 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.