Vulnerability Description
The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidentaly logged to logs, those values could be seen in the logs. Azure Service Bus used those properties to store sensitive values. Possibly other providers could be also affected if they used the same fields to store sensitive data. If you used Azure Service Bus connection with those values set or if you have other connections with those values storing sensitve values, you should upgrade Airflow to 3.1.8
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Airflow | < 3.2.0 |
Related Weaknesses (CWE)
References
- https://github.com/apache/airflow/pull/61580Issue Tracking
- https://github.com/apache/airflow/pull/61582Issue Tracking
- https://lists.apache.org/thread/t4dlmqkn0njz4chk3g7mdgzb96y4ttqhMailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2026/04/15/3Mailing ListThird Party Advisory
FAQ
What is CVE-2026-25219?
CVE-2026-25219 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as...
How severe is CVE-2026-25219?
CVE-2026-25219 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-25219?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Airflow.