CVE-2025-66388: Apache Airflow exposes secret values to authenticated UI users via rendered templates

December 15, 2025 (updated December 16, 2025)

A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization.

Users are recommended to upgrade to version 3.1.4, which fixes this issue.

References

github.com/advisories/GHSA-fv47-pqh6-wxgq
github.com/apache/airflow
github.com/apache/airflow/pull/58767
github.com/apache/airflow/pull/58772
lists.apache.org/thread/mv9hzsx8grjf7gdlkxwppnpbtogtls2g
nvd.nist.gov/vuln/detail/CVE-2025-66388

Code Behaviors & Features

Detect and mitigate CVE-2025-66388 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →