Apache Airflow error reporting may leak sensitive data

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.5

Apache Airflow error reporting may leak sensitive data

CVE-2025-65995 GHSA-gfw7-2v73-69wg

Summary

A bug in Apache Airflow's error reporting could expose sensitive information in the UI. If you use Airflow, consider upgrading to 3.1.5rc1 or 2.11.1 to prevent any potential data breaches. If you're not able to upgrade immediately, take steps to minimize the data you pass to operators and consider restricting user access to sensitive DAGs.

What to do

Update apache-airflow to version 2.11.1.
Update apache-airflow to version 3.1.5rc1.

Affected software

Vendor	Product	Affected versions	Fix available
–	apache-airflow	<= 2.11.1	2.11.1
–	apache-airflow	> 3.0.0b1 , <= 3.1.5rc1	3.1.5rc1
apache	airflow	<= 2.11.1	–
apache	airflow	> 3.0.0 , <= 3.1.4	–

Original title

Apache Airflow error reporting may expose full kwargs

Original description

When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG.

The issue has been fixed in Airflow 3.1.5rc1 and 2.11.1, and users are strongly advised to upgrade to prevent potential disclosure of sensitive information.

nvd CVSS3.1 6.5

Vulnerability type

CWE-209

https://github.com/apache/airflow/pull/61883 Issue Tracking Patch
https://lists.apache.org/thread/1qzlrjo2wmlzs0rrgzgslj2pzkor0dr2 Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/12/12/2 Mailing List Third Party Advisory
https://nvd.nist.gov/vuln/detail/CVE-2025-65995
https://github.com/advisories/GHSA-gfw7-2v73-69wg
https://github.com/apache/airflow/pull/58252 Issue Tracking Patch

Published: 21 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026