Zero Day MonitorZDM

← Back to list

6.5

CVE-2026-25219EXPLOITEDPATCHED

apache · airflow

Apache Airflow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access

Description

The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidentaly logged to logs, those values could be seen in the logs. Azure Service Bus used those properties to store sensitive values. Possibly other providers could be also affected if they used the same fields to store sensitive data. If you used Azure Service Bus connection with those values set or if you have other connections with those values storing sensitve values, you should upgrade Airflow to 3.1.8

Affected Products

Vendor	Product	Versions
apache	airflow	pip/apache-airflow: < 3.1.8

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
apache	airflow	cert_advisory	90%

References

https://github.com/apache/airflow/pull/61580(patch)
https://github.com/apache/airflow/pull/61582(patch)
https://lists.apache.org/thread/t4dlmqkn0njz4chk3g7mdgzb96y4ttqh(vendor-advisory)

Related News (3 articles)

Tier B

BSI Advisories3d ago

[NEU] [mittel] Apache Airflow: Schwachstelle ermöglicht Offenlegung von Informationen

→ No new info (linked only)

Tier C

oss-security3d ago

CVE-2026-25219: Apache Airlfow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access

→ No new info (linked only)

Tier C

VulDB3d ago

CVE-2026-25219 | Apache Airflow up to 3.1.7 Azure Service Bus access_key/connection_string information disclosure

→ No new info (linked only)

CVSS 3.16.5 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

apache-airflow@3.1.8

CWECWE-200

PublishedApr 15, 2026

Last enriched3d agov3

Trending Score36

Source articles3

Independent3

Info Completeness9/14

Missing: cvss, epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-34197EXPKEV

Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans

NONECVE-2026-31987EXP

Apache Airflow: JWT token appearing in logs

MEDIUMCVE-2026-34479EXP

Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters

HIGHCVE-2026-35554EXP

Apache Kafka Clients: Kafka Producer Message Corruption and Misrouting via Buffer Pool Race Condition

MEDIUMCVE-2026-34480EXP

Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 15, 2026

Discovered by ZDM

Apr 15, 2026

Updated: affectedVersions, severity

Apr 15, 2026

Updated: severity, affectedVersions, exploitAvailable, activelyExploited

Apr 15, 2026

Actively Exploited

Apr 15, 2026

Exploit Available

Apr 15, 2026

Patch Available

Apr 15, 2026

Version History

v3

Last enriched 3d ago

v3Tier C3d ago

Updated severity to LOW, marked exploit as available, and indicated active exploitation.

severityaffectedVersionsexploitAvailableactivelyExploited

via oss-security

v2Tier C3d ago

Updated affected versions to include 3.1.7, changed severity to HIGH, and noted that no exploit is available.

affectedVersionsseverity

via VulDB

v13d ago

Initial creation