CVE-2025-66388
Apache Airflow exposes secret values to authenticated UI users via rendered templates
6.5
MEDIUM
CVSS 3.1
EPSS 0.04%
Description
A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization. Users are recommended to upgrade to version 3.1.4, which fixes this issue.
How to fix CVE-2025-66388
To remediate CVE-2025-66388, upgrade the affected package to a fixed version below.
- —upgrade to 3.1.4 or later
- —upgrade to 3.1.5 or later
- —upgrade to 3.1.4 or later
Is CVE-2025-66388 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 3.1.0, < 3.1.4
- >= 3.1.0, < 3.1.5
- >= 3.1.0, < 3.1.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |