CVE-2025-68438: Apache Airflow secrets in rendered templates could contain parts of sensitive values when truncated

January 16, 2026

In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display.

Users are recommended to upgrade to 3.1.6 or later, which fixes this issue

References

github.com/advisories/GHSA-3qmm-r55x-hpxx
github.com/apache/airflow
lists.apache.org/thread/55n7b4nlsz3vo5n4h5lrj9bfsk8ctyff
nvd.nist.gov/vuln/detail/CVE-2025-68438

Code Behaviors & Features

Detect and mitigate CVE-2025-68438 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →