Apache Airflow: Connection Secrets not masked in UI when Connection are added via Airflow cli

Vulnerability

Description CVE-2025-27555 affects Apache Airflow versions prior to 2.11.1. The vulnerability arises when sensitive connection parameters (e.g., passwords, tokens) are set using the Airflow CLI. These values are logged in the audit log and stored unencrypted in the Airflow database, making them visible to any authenticated user with audit log access. This issue is related to improper masking of sensitive data during logging, similar to but distinct from CVE-2024-50378 [3].

Exploitation

Exploitation requires authenticated access to Airflow and the ability to view audit logs. An attacker with such privileges (e.g., a malicious insider or compromised user) can retrieve sensitive credentials by reading the audit log entries. The vulnerability is limited to users who already have audit log access, but it still poses a risk in environments where audit logs are widely accessible.

Impact

An attacker who exploits this vulnerability can obtain sensitive connection details, potentially leading to unauthorized access to external systems (databases, APIs, etc.) that Airflow connects to. The impact is considered moderate, but the exposure of secrets could enable lateral movement or data breaches.

Mitigation

The fix is included in Apache Airflow 2.11.1 [1][3]. Users should upgrade to this version or later. As an additional step, users who previously used the CLI to set connections should manually delete entries with sensitive values from the log table to avoid exposing historical data. Reference [2] shows a pull request that introduces masking for connection details when using JSON or URI formats.