Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI.

Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability.

Affected Packages

PyPI apache-airflow

Affected versions: 0 (fixed in 2.7.1)

Related CVEs

CVE-2023-40712

Key Information

GHSA ID

GHSA-mjqh-v5f2-g2mw

Published

September 12, 2023 7:25 PM

Last Modified

November 18, 2024 4:26 PM

CVSS Score

7.5 /10

Primary Ecosystem

PyPI

Primary Package

apache-airflow

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 27, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.