CVE-2025-65995
Published: Feb 21, 2026
Modified: Mar 8, 2026
Description
When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG. The issue has been fixed in Airflow 3.1.4 and 2.11.1, and users are strongly advised to upgrade to prevent potential disclosure of sensitive information.
| Vendor | Product | Versions |
|---|---|---|
Apache Software Foundation | Apache Airflow | affected 3.0.0 - < 3.1.4affected 0 - < 2.11.1 |
Weaknesses (CWE)
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now