A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to 2.3.1.

Affected Packages

PyPI apache-airflow

Affected versions: 0 (fixed in 2.3.1)

Related CVEs

CVE-2022-27949

Key Information

GHSA ID

GHSA-fvw2-2pf7-77vw

Published

November 14, 2022 12:00 PM

Last Modified

May 1, 2025 1:29 PM

CVSS Score

7.5 /10

Primary Ecosystem

PyPI

Primary Package

apache-airflow

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 24, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.