CVE-2025-66388

unknown

Published 2025-12-15 · Modified 2026-05-20

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v2

—

VIR risk

—

Description

A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization. Users are recommended to upgrade to version 3.1.4, which fixes this issue.

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	apache-airflow	`>=3.1.0,<3.1.5`	`3.1.5`
PyPI	apache-airflow	`>=3.1.0,<3.1.4`	`3.1.4`

References

https://nvd.nist.gov/vuln/detail/CVE-2025-66388
https://github.com/apache/airflow/pull/58767
https://github.com/apache/airflow/pull/58772
https://github.com/apache/airflow
https://lists.apache.org/thread/mv9hzsx8grjf7gdlkxwppnpbtogtls2g
http://www.openwall.com/lists/oss-security/2025/12/12/1

Verify integrity in audit chain (admin only). AS-IS.