CVE-2025-68438: Apache Airflow secrets in rendered templates could contain parts of sensitive values when truncated

January 16, 2026 (updated June 5, 2026)

In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display.

Users are recommended to upgrade to 3.1.6 or later, which fixes this issue

References

github.com/advisories/GHSA-3qmm-r55x-hpxx
github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-9.yaml
lists.apache.org/thread/55n7b4nlsz3vo5n4h5lrj9bfsk8ctyff
nvd.nist.gov/vuln/detail/CVE-2025-68438

Code Behaviors & Features

Detect and mitigate CVE-2025-68438 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →