CVE-2025-68438

HIGH EPSS 43.6%

Published Jan 16, 20265mo ago · Modified Jun 17, 20261w ago

7.5 CVSS 3.1

High

Published Jan 16, 2026 5mo ago

Last Modified Jun 17, 2026 1w ago

Description

In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display. Users are recommended to upgrade to 3.1.6 or later, which fixes this issue

CVSS Details

Base Score

7.5

Exploitability

3.9

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality High

Integrity None

Availability None

Threat Intelligence

EPSS Exploit Probability

43.6% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure

Affected Products 1

Vendor	Product	Version	Range
apache	airflow	*	≥3.1.0 – <3.1.6

References 2

openwall.com http://www.openwall.com/lists/oss-security/2026/01/15/5

Mailing ListThird Party Advisory
lists.apache.org https://lists.apache.org/thread/55n7b4nlsz3vo5n4h5lrj9bfsk8ctyff

Mailing ListVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.