High severityOSV Advisory· Published Jan 16, 2026· Updated Jan 16, 2026
Apache Airflow: Secrets in rendered templates could contain parts of sensitive values when truncated
CVE-2025-68438
Description
In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display.
Users are recommended to upgrade to 3.1.6 or later, which fixes this issue
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-airflowPyPI | >= 3.1.0, < 3.1.6 | 3.1.6 |
Affected products
6- osv-coords5 versionspkg:apk/chainguard/airflow-3pkg:apk/chainguard/airflow-core-3pkg:apk/wolfi/airflow-3pkg:bitnami/airflowpkg:pypi/apache-airflow
< 3.1.6-r0+ 4 more
- (no CPE)range: < 3.1.6-r0
- (no CPE)range: < 3.1.6-r0
- (no CPE)range: < 3.1.6-r0
- (no CPE)range: >= 3.1.0, < 3.1.6
- (no CPE)range: >= 3.1.0, < 3.1.6
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-3qmm-r55x-hpxxghsaADVISORY
- lists.apache.org/thread/55n7b4nlsz3vo5n4h5lrj9bfsk8ctyffghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-68438ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/01/15/5ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-9.yamlghsaWEB
News mentions
0No linked articles in our index yet.