Unsubscribe On Mon, Feb 23, 2026 at 6:39 PM Jarek Potiuk <[email protected]> wrote:
> The CVE described in https://www.cve.org/CVERecord?id=CVE-2025-65995 > (Moderate) has also been fixed in 2.11.1. > > More detailed information here > https://www.cve.org/CVERecord?id=CVE-2025-65995: > > When a DAG failed during parsing, Airflow’s error-reporting in the UI > could include the full kwargs passed to the operators. If those kwargs > contained sensitive values (such as secrets), they might be exposed in the > UI tracebacks to authenticated users who had permission to view that DAG. > The issue has been fixed in Airflow 3.1.4 and 2.11.1, and users are > strongly advised to upgrade to prevent potential disclosure of sensitive > information. > > J > >
