CVE-2025-65995: Apache Airflow error reporting may expose full kwargs

February 21, 2026 (updated February 25, 2026)

When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG.

The issue has been fixed in Airflow 3.1.5rc1 and 2.11.1, and users are strongly advised to upgrade to prevent potential disclosure of sensitive information.

References

github.com/advisories/GHSA-gfw7-2v73-69wg
github.com/apache/airflow
github.com/apache/airflow/pull/58252
github.com/apache/airflow/pull/61883
lists.apache.org/thread/1qzlrjo2wmlzs0rrgzgslj2pzkor0dr2
nvd.nist.gov/vuln/detail/CVE-2025-65995

Code Behaviors & Features

Detect and mitigate CVE-2025-65995 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →