If you are using Apache Airflow to manage your multiple workflows, you may want to take careful note of this. A critical vulnerability has been discovered in the latest version of Airflow (v3.0.3) that allows even read-only users to view secrets like passwords, database connection details, and tokens.
Consider it like this—you gave a friend a key to only check your mail, but you also inadvertently gave them access to your safe. Not very good.
There is already a fix in place by Apache, and the advice is simple – update to Airflow version 3.0.4 or greater immediately.
So comfortable with the old version or worrying you should have updated?
So What Happened?
Airflow was supposed to keep sensitive information secure. When version 3.0.3 was released, intention to protect sensitive information was broken. Both the web dashboard and API visible details that were intended to stay hidden. Quite frankly, still, not a great experience.Consider it like this—you gave a friend a key to only check your mail, but you also inadvertently gave them access to your safe. Not very good.
Why Is This A problem?
The bug is being tracked as CVE-2025-54831 and labeled as "important," for the following reasons:- Passwords and API keys were subjected to risk exposure,
- Security settings did not work as intended,
- Trust was eroded because the assumption this secret was safe.
Who Is Impacted?
This bug only impacts Airflow version 3.0.3 – prior versions 2.x are presumably not impacted (but could be otherwise compromised).There is already a fix in place by Apache, and the advice is simple – update to Airflow version 3.0.4 or greater immediately.
Things You Need To Know
If you're using version 3.0.3 of Airflow:- You need to upgrade to **the fixed version**, right away.
- You should inspect the logs for any strange behavior.
- You should change any password or token that was exposed (if you use stateless secret management).
So comfortable with the old version or worrying you should have updated?
