{"id":"CVE-2025-68438","details":"In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display.\n\nUsers are recommended to upgrade to 3.1.6 or later, which fixes this issue","aliases":["BIT-airflow-2025-68438","GHSA-3qmm-r55x-hpxx","PYSEC-2026-9"],"modified":"2026-05-20T08:11:13.163894451Z","published":"2026-01-16T11:16:03.760Z","related":["CGA-x363-pw7h-whx4"],"references":[{"type":"ADVISORY","url":"https://lists.apache.org/thread/55n7b4nlsz3vo5n4h5lrj9bfsk8ctyff"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2026/01/15/5"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/airflow","events":[{"introduced":"8cdef3e855527b8a431666b0ce9f3ffd43d14955"},{"fixed":"289b888f4b7493d3bea35d94d374b8323380ee1a"}],"database_specific":{"versions":[{"introduced":"3.1.0"},{"fixed":"3.1.6"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68438.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}