Apache Airflow Vulnerability Lets Read-Only Users Access Sensitive Data

Apache Airflow maintainers have disclosed a serious security issue, tracked as CVE-2025-54831, that allows users holding only read permissions to view sensitive connection details via both the Airflow API and web interface.

The vulnerability, present in Airflow version 3.0.3, undermines the platform’s intended “write-only” treatment of secrets in Connections and could lead to unauthorized exposure of credentials and other secret configuration data.

Apache Airflow is an open-source workflow orchestration platform widely adopted for scheduling and monitoring data pipelines.

With the release of Airflow 3.0.0, the project introduced a tighter security model for sensitive information in Connection objects.

Under this model, fields such as passwords, tokens, and private keys were intended to be masked by default and only revealed to users who hold explicit Connection edit (write) permissions. Read-only users were restricted to viewing non-sensitive metadata.

However, an implementation oversight in Airflow 3 ...