CVE-2025-54831

EPSS 0.04%
Published 26.09.2025 08:15:38
Last modified 01.10.2025 15:23:03
Source security@apache.org
Teams watchlist Login
Open Login

Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a "write-only" model for sensitive values.


In Airflow 3.0.3, this model was unintentionally violated: sensitive connection information could be viewed by users with READ permissions through both the API and the UI. This behavior also bypassed the `AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS` configuration option.


This issue does not affect Airflow 2.x, where exposing sensitive information to connection editors was the intended and documented behavior.






Users of Airflow 3.0.3 are advised to upgrade Airflow to >=3.0.4.

Affected products Warnungen 0 Metrics 2 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Airflow Version3.0.3 Update-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.04%	0.133

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-213 Exposure of Sensitive Information Due to Incompatible Policies

The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.

https://lists.apache.org/thread/vblmfqtydrp5zgn2q8tj3slk5podxspf

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2025-54831

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-54831

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-54831

EUVD