# CVE-2025-66236: Apache Airflow Configuration Secret Leakage Vulnerability ## Vulnerability Overview Prior to Apache Airflow 3.0.0, DAG run log UI would record secrets from the Airflow configuration file in plaintext. This could allow unauthorized users to view security-sensitive information such as JWT keys and workload isolation configurations. ## Impact Scope - **Affected Versions**: Apache Airflow (apache-airflow) versions prior to 3.0.0 - **Severity**: moderate ## Remediation - **Upgrade Version**: Users are advised to upgrade to Apache Airflow 3.2.0 or later, which has fixed this issue. - **Reference Documentation**: - [Airflow 3.2.0 Blog Announcement](https://airflow.apache.org/blog/airflow-3.2/) - [Security Model](https://airflow.apache.org/docs/apache-airflow/stable/security.html) - [JWT Token Authentication](https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html) - [Workload Isolation](https://airflow.apache.org/docs/apache-airflow/stable/security/workload.html) ## References - GitHub Issue: [apache/airflow/pull/58662](https://github.com/apache/airflow/pull/58662) - Airflow Issue: [apache/airflow/issues/58662](https://airflow.apache.org/issues/58662) - CVE Record: [CVE-2025-66236](https://www.cve.org/CVERecord?id=CVE-2025-66236)