CVE-2025-65995

Feb. 21, 2026, 3:15 a.m.

None
No Score

Description

When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG.  The issue has been fixed in Airflow 3.1.4 and 2.11.1, and users are strongly advised to upgrade to prevent potential disclosure of sensitive information.

Product(s) Impacted

Vendor Product Versions
Apache
  • Airflow
  • 3.1.4, 2.11.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-209
Generation of Error Message Containing Sensitive Information
The product generates an error message that includes sensitive information about its environment, users, or associated data.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a apache airflow 3.1.4 / / / / / / /
a apache airflow 2.11.1 / / / / / / /

References

https://github.com/apache/airflow/pull/58252
https://github.com/apache/airflow/pull/61883
https://lists.apache.org/thread/1qzlrjo2wmlzs0rrgzgslj2pzkor0dr2
http://www.openwall.com/lists/oss-security/2025/12/12/2

Tags

[email protected]
CWE-209
2026-02-21
CVE-2025-65995

Timeline

Published: Feb. 21, 2026, 3:15 a.m.
Last Modified: Feb. 21, 2026, 3:15 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.