Apache: >> Airflow >> 3.0.3 Security Vulnerabilities
API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available.
CVSS Score
5.4
EPSS Score
0.003
Published
2025-10-30
User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.
CVSS Score
4.6
EPSS Score
0.002
Published
2025-10-30
Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a "write-only" model for sensitive values.
In Airflow 3.0.3, this model was unintentionally violated: sensitive connection information could be viewed by users with READ permissions through both the API and the UI. This behavior also bypassed the `AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS` configuration option.
This issue does not affect Airflow 2.x, where exposing sensitive information to connection editors was the intended and documented behavior.
Users of Airflow 3.0.3 are advised to upgrade Airflow to >=3.0.4.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-09-26
Page 3