Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN206
_____________________________________________________________________

DATE                : 23/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow versions prior
                                       to 2.11.1.

=====================================================================
https://lists.apache.org/thread/nxovkp319jo8vg498gql1yswtb2frbkw
_____________________________________________________________________

CVE-2025-27555: Apache Airflow: Connection Secrets not masked in UI
when Connection are added via Airflow cli
Severity: low 

Affected versions:

- Apache Airflow (apache-airflow) before 2.11.1

Description:

Airflow versions before 2.11.1 have a vulnerability that allows
authenticated users with audit log access to see sensitive values
in audit logs which they should not see. When sensitive connection
parameters were set via airflow CLI, values of those variables appeared
in the audit log and were stored unencrypted in the Airflow database.
While this risk is limited to users with audit log access, it is
recommended to upgrade to Airflow 2.11.1 or a later version, which
addresses this issue. Users who previously used the CLI to set
connections should manually delete entries with those connection
sensitive values from the log table. This is similar but not the same
issue as CVE-2024-50378

Credit:

sw0rd1ight (finder)

References:

https://github.com/apache/airflow/pull/61882
https://www.apache.org/security/
https://www.cve.org/CVERecord?id=CVE-2025-27555


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================