6.5

CVE-2025-27555

EPSS 0.02%
Veröffentlicht 24.02.2026 10:16:02
Zuletzt bearbeitet 11.03.2026 16:16:19
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.11.1 or a later version, which addresses this issue. Users who previously used the CLI to set connections should manually delete entries with those connection sensitive values from the log table. This is similar but not the same issue as CVE-2024-50378

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Airflow Version < 2.11.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.062

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

https://github.com/apache/airflow/pull/61882

Issue Tracking

https://lists.apache.org/thread/nxovkp319jo8vg498gql1yswtb2frbkw

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2025-27555

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-27555

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-27555

EUVD