CVE-2025-54831
MEDIUMDescription
Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a "write-only" model for sensitive values. In Airflow 3.0.3, this model was unintentionally violated: sensitive connection information could be viewed by users with READ permissions through both the API and the UI. This behavior also bypassed the `AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS` configuration option. This issue does not affect Airflow 2.x, where exposing sensitive information to connection editors was the intended and documented behavior. Users of Airflow 3.0.3 are advised to upgrade Airflow to >=3.0.4.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| apache | airflow |
References
Frequently Asked Questions
What is CVE-2025-54831? +
How severe is CVE-2025-54831? +
What products are affected by CVE-2025-54831? +
How do I check if I'm vulnerable to CVE-2025-54831? +
Related Vulnerabilities
Exposure of Sensitive Information Due to Incompatible Policies vulnerability in Mia Technology Inc. MİA-MED allows Collect Data as Provided by …
An issue has been discovered in GitLab EE/CE affecting all versions starting from 8.0 before 16.4. The product did not …
Exposure of Sensitive Information vulnerability in Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy EZD RP allows logged-in user …
IBM Concert 1.0.0, 1.0.1, and 1.0.2 is vulnerable to sensitive information disclosure through specially crafted API Calls.
The Dario Health Internet-based server infrastructure is vulnerable due to exposure of development environment details, which could lead to unsafe …
Under certain conditions Statutory Reports in SAP S/4 HANA allows an attacker with basic privileges to access information which would …