Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN044
_____________________________________________________________________

DATE                : 16/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow versions prior
                                      to 3.1.6.

=====================================================================
https://lists.apache.org/thread/1o1xb77tz7brn4jk7p6x6t3nw2gbwbb9
https://lists.apache.org/thread/p78sf3o70cp964f6b8yclh49jwmhok7m
_____________________________________________________________________

CVE-2025-68675: Apache Airflow: proxy credentials for various
providers might leak in task logs

Severity: low 

Affected versions:

- Apache Airflow (apache-airflow) before 3.1.6

Description:

In Apache Airflow versions before 3.1.6, the proxies and proxy fields
within a Connection may include proxy URLs containing embedded
authentication information. These fields were not treated as sensitive
by default and therefore were not automatically masked in log output.
As a result, when such connections are rendered or printed to logs,
proxy credentials embedded in these fields could be exposed.

Users are recommended to upgrade to 3.1.6 or later, which fixes this
issue

Credit:

lwlkr https://github.com/kwkr (finder)
Ankit Chaurasia (remediation developer)

References:

https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-68675

_____________________________________________________________________

CVE-2025-68438: Apache Airflow: Secrets in rendered templates could
contain parts of sensitive values when truncated

Severity: low 

Affected versions:

- Apache Airflow (apache-airflow) 3.1.0 before 3.1.6

Description:

In Apache Airflow versions before 3.1.6, when rendered template fields
in a Dag exceed [core] max_templated_field_length, sensitive values
could be exposed in cleartext in the Rendered Templates UI. This
occurred because serialization of those fields used a secrets masker
instance that did not include user-registered mask_secret() patterns,
so secrets were not reliably masked before truncation and display.

Users are recommended to upgrade to 3.1.6 or later, which fixes this
issue

Credit:

William Ashe (finder)
Amogh Desai (remediation developer)

References:

https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-68438



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================