CVE-2025-68675

Published Jan 16, 2026

Last updated 9 days ago

CVSS high 7.5

Overview

Description
In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed. Users are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue
Source
security@apache.org
NVD status
Modified
Products
airflow

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity
HIGH

Weaknesses

security@apache.org
CWE-532

Social media

Hype score
Not currently trending

  1. ⚠️ Vulnerabilidades en productos Apache ❗ CVE-2025-68675 ❗ CVE-2025-68438 ❗ CVE-2025-60021 ➡️ Más info: https://t.co/pFFA5LPHue https://t.co/lS0GELcr0e

    @CERTpy

    22 Jan 2026

    65 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-68438 & CVE-2025-68675: Why Your Airflow Secrets are Leaking in Plain Sight. Read the full report on - https://t.co/1OhWD6rI4f https://t.co/jqVf3YGF7H

    @cyberbivash

    20 Jan 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 Apache Airflow Bugs Can Leak Proxy Credentials and Secrets via Logs and the Web UI Two Airflow flaws (CVE-2025-68675, CVE-2025-68438) in versions <3.1.6 can expose proxy usernames/passwords in task logs and leak sensitive templated secrets in the Rendered Templates UI due

    @ThreatSynop

    20 Jan 2026

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-68675: Airflow Leaks: When Proxies Spill Secrets in the Logs Apache Airflow versions prior to 3.1.6 failed to mask sensitive credentials embedded within proxy URLs in connection configurations, leading to clear-text password exposure in execu... https://t.co/zVzt0ONdTa

    @_cvereports

    18 Jan 2026

    49 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-68675 In Apache Airflow versions before 3.1.6, the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These… https://t.co/P1rCMupZJR

    @CVEnew

    16 Jan 2026

    54 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-68438: Apache Airflow: Secrets in rendered templates could contain parts of sensitive values when truncated https://t.co/4aUKozFsUP CVE-2025-68675: Apache Airflow: proxy credentials for various providers might leak in task logs https://t.co/cLjh7O7Cmz

    @oss_security

    16 Jan 2026

    669 Impressions

    2 Retweets

    9 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (server-side) as a result of a user viewing historical task information. The functionality responsible for that (log template history) has been disabled by default in 2.11.1 and users should upgrade to Airflow 3 if they want to continue to use log template history. They can also manually modify historical log file names if they want to see historical logs that were generated before the last log template change.CVE-2024-56373
  2. Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.11.1 or a later version, which addresses this issue. Users who previously used the CLI to set connections should manually delete entries with those connection sensitive values from the log table. This is similar but not the same issue as CVE-2024-50378CVE-2025-27555
  3. When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG.  The issue has been fixed in Airflow 3.1.4 and 2.11.1, and users are strongly advised to upgrade to prevent potential disclosure of sensitive information.CVE-2025-65995
  4. Apache Airflow versions before 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issueCVE-2026-24098
  5. Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access. Users are recommended to upgrade to Apache Airflow 3.1.7 or later, which resolves this issue.CVE-2026-22922

References

Sources include official advisories and independent security research.