CVE-2025-27555

Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.11.1 or a later version, which addresses this issue. Users who previously used the CLI to set connections should manually delete entries with those connection sensitive values from the log table. This is similar but not the same issue as CVE-2024-50378

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/apache/airflow/pull/61882	Issue Tracking
https://lists.apache.org/thread/nxovkp319jo8vg498gql1yswtb2frbkw	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

History

11 Mar 2026, 16:16

Type	Values Removed	Values Added
Summary		(es) Las versiones de Airflow anteriores a la 2.11.1 tienen una vulnerabilidad que permite a los usuarios autenticados con acceso al registro de auditoría ver valores sensibles en los registros de auditoría que no deberían ver. Cuando se configuraron parámetros de conexión sensibles a través de la CLI de Airflow, los valores de esas variables aparecieron en el registro de auditoría y se almacenaron sin cifrar en la base de datos de Airflow. Si bien este riesgo está limitado a los usuarios con acceso al registro de auditoría, se recomienda actualizar a Airflow 2.11.1 o una versión posterior, que aborda este problema. Los usuarios que previamente usaron la CLI para configurar conexiones deben eliminar manualmente las entradas con esos valores sensibles de conexión de la tabla de registro. Esto es similar pero no el mismo problema que CVE-2024-50378
CWE	~~CWE-201~~

24 Feb 2026, 21:04

Type	Values Removed	Values Added
References	~~() https://github.com/apache/airflow/pull/61882 -~~	() https://github.com/apache/airflow/pull/61882 - Issue Tracking
References	~~() https://lists.apache.org/thread/nxovkp319jo8vg498gql1yswtb2frbkw -~~	() https://lists.apache.org/thread/nxovkp319jo8vg498gql1yswtb2frbkw - Mailing List, Vendor Advisory
CWE		CWE-532
First Time		Apache airflow Apache
CPE		cpe:2.3:a:apache:airflow::::::::

24 Feb 2026, 16:24

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

24 Feb 2026, 10:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-24 10:16

Updated : 2026-03-11 16:16

NVD link : CVE-2025-27555

Mitre link : CVE-2025-27555

CVE.ORG link : CVE-2025-27555

JSON object : View

Products Affected

apache

airflow

CWE

CWE-532

Insertion of Sensitive Information into Log File

6.5 /10