Description

Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a "write-only" model for sensitive values. In Airflow 3.0.3, this model was unintentionally violated: sensitive connection information could be viewed by users with READ permissions through both the API and the UI. This behavior also bypassed the `AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS` configuration option. This issue does not affect Airflow 2.x, where exposing sensitive information to connection editors was the intended and documented behavior. Users of Airflow 3.0.3 are advised to upgrade Airflow to >=3.0.4.

INFO

Published Date :

2025-09-26T07:28:59.066Z

Last Modified :

2025-11-04T21:12:55.586Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2025-54831 vulnerability.

Vendors Products
Apache
  • Airflow
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-54831.

URL Resource
http://www.openwall.com/lists/oss-security/2025/09/25/4 cve-icon
https://lists.apache.org/thread/vblmfqtydrp5zgn2q8tj3slk5podxspf cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact