{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25219", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-01-30T09:13:59.458Z", "datePublished": "2026-04-15T12:30:17.584Z", "dateUpdated": "2026-04-15T13:14:55.658Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://pypi.python.org", "defaultStatus": "unaffected", "packageName": "apache-airflow", "product": "Apache Airflow", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "3.1.8", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Saurabh Banawar"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidentaly logged to logs, those values could be seen in the logs. Azure Service Bus used those properties to store sensitive values. Possibly other providers could be also affected if they used the same fields to store sensitive data.<br><br>If you used Azure Service Bus connection with those values set or if you have other connections with those values storing sensitve values, you should upgrade Airflow to 3.1.8"}], "value": "The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidentaly logged to logs, those values could be seen in the logs. Azure Service Bus used those properties to store sensitive values. Possibly other providers could be also affected if they used the same fields to store sensitive data.\n\nIf you used Azure Service Bus connection with those values set or if you have other connections with those values storing sensitve values, you should upgrade Airflow to 3.1.8"}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-15T13:14:55.658Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/apache/airflow/pull/61580"}, {"tags": ["patch"], "url": "https://github.com/apache/airflow/pull/61582"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/t4dlmqkn0njz4chk3g7mdgzb96y4ttqh"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Airflow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access", "x_generator": {"engine": "Vulnogram 0.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidentaly logged to logs, those values could be seen in the logs. Azure Service Bus used those properties to store sensitive values. Possibly other providers could be also affected if they used the same fields to store sensitive data.\n\nIf you used Azure Service Bus connection with those values set or if you have other connections with those values storing sensitve values, you should upgrade Airflow to 3.1.8"}], "id": "CVE-2026-25219", "lastModified": "2026-04-15T14:16:14.970", "metrics": {}, "published": "2026-04-15T13:16:24.343", "references": [{"source": "security@apache.org", "url": "https://github.com/apache/airflow/pull/61580"}, {"source": "security@apache.org", "url": "https://github.com/apache/airflow/pull/61582"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread/t4dlmqkn0njz4chk3g7mdgzb96y4ttqh"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.1.8)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache Airflow", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "airflow", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-15T14:35:33.229140+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Airflow to version 3.1.8 where the properties are properly marked as sensitive.", "Re\u2011configure any existing connections that use access_key or connection_string to ensure sensitive data is masked and not logged.", "Restrict view permissions on the Connection UI and logging to only necessary personnel."], "summary": {"action": "Update Airflow", "impact": "Sensitive data exposure via exposed connection strings"}, "threat_synthesis": {"affected_systems": "Apache Airflow, specifically any deployment that uses Azure Service Bus connections with access_key or connection_string properties. Other providers that store sensitive data in the same fields may also be impacted. No specific version information is provided in the CNA data.", "description_and_impact": "The updated description confirms that the access_key and connection_string fields were not marked as sensitive names in Airflow\u2019s secrets masker, allowing users with read permission to view these values in the Connection UI or in logs where connections are inadvertently written. The exposed data includes credentials used by Azure Service Bus and potentially other providers employing the same fields, resulting in a confidentiality compromise (CWE-200).", "risk_and_exploitability": "This is a confidentiality-only risk that requires read access to the Connection UI or logs, with no privilege escalation. The EPSS score is not available, and the vulnerability is not listed in the KEV catalog, indicating a moderate exploit likelihood. Mitigation is required promptly to prevent accidental leakage of credentials. The attack vector is an authorized user with view permissions reading the UI or parsing logs."}}}}, "created": "2026-04-15T13:38:28.751489+00:00", "updated": "2026-04-15T14:52:50.210013+00:00", "vendors": ["apache", "apache$PRODUCT$airflow"]}