CVE-2025-54831: Apache Airflow Bug Exposes Sensitive Connection Passwords to Read-Only Users

The Apache Software Foundation has released a fix for Apache Airflow, a popular open-source platform for authoring, scheduling, and monitoring workflows. The update addresses CVE-2025-54831, an important severity vulnerability that exposed sensitive connection details to users with READ permissions.

According to the advisory, “Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a ‘write-only’ model for sensitive values.”

However, in version 3.0.3 this model was unintentionally broken. The advisory warns: “Sensitive connection information could be viewed by users with READ permissions through both the API and the UI. This behavior also bypassed the AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS configuration option.”

This means that users with only viewing rights could still access passwords, tokens, and other sensitive credentials tied to Airflow’s connection configurations—data that should have been strictly hidden.

The flaw only affects Apache Airflow 3.0.3. Earlier Airflow 2.x versions are not impacted because, as the advisory notes, “exposing sensitive information to connection editors was the intended and documented behavior.”

Still, for organizations that upgraded to Airflow 3.0.3, the issue significantly weakens the platform’s security model, potentially allowing insider threats or misconfigured accounts to access credentials for external systems.

The Apache Airflow team urges all users of version 3.0.3 to upgrade immediately.

Related Posts:

• Apache Airflow patches multiple vulnerabilities affecting its packages
• Apache Airflow session hijacking vulnerability
• Data Exfiltration and RCE Risks Found in Azure Data Factory’s Airflow Integration
• Apache Airflow Security Update Addresses Code Execution Vulnerability
• Apache Airflow Vulnerability Exposes Sensitive Data in Logs

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.