GHSA-3qmm-r55x-hpxx

Source

https://github.com/advisories/GHSA-3qmm-r55x-hpxx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-3qmm-r55x-hpxx/GHSA-3qmm-r55x-hpxx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3qmm-r55x-hpxx

Aliases

CVE-2025-68438

Downstream

MINI-5jgp-gj33-rjxr

Published

2026-01-16T12:30:25Z

Modified

2026-01-16T21:11:16.600193Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Apache Airflow secrets in rendered templates could contain parts of sensitive values when truncated

Details

In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] maxtemplatedfieldlength, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered masksecret() patterns, so secrets were not reliably masked before truncation and display.

Users are recommended to upgrade to 3.1.6 or later, which fixes this issue

Database specific

{
    "nvd_published_at": "2026-01-16T11:16:03Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "github_reviewed_at": "2026-01-16T20:59:54Z",
    "severity": "HIGH",
    "github_reviewed": true
}

References

Affected packages

PyPI / apache-airflow

Package

Name: apache-airflow; View open source insights on deps.dev
Purl: pkg:pypi/apache-airflow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.6

Affected versions

3.*

3.1.0

3.1.1rc1

3.1.1rc2

3.1.1

3.1.2rc1

3.1.2rc2

3.1.2

3.1.3rc1

3.1.3

3.1.4rc1

3.1.4rc2

3.1.4

3.1.5rc1

3.1.5

3.1.6rc1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-3qmm-r55x-hpxx/GHSA-3qmm-r55x-hpxx.json"