Headline
GHSA-3qmm-r55x-hpxx: Apache Airflow secrets in rendered templates could contain parts of sensitive values when truncated
In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display.
Users are recommended to upgrade to 3.1.6 or later, which fixes this issue
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-68438
Apache Airflow secrets in rendered templates could contain parts of sensitive values when truncated
High severity GitHub Reviewed Published Jan 16, 2026 to the GitHub Advisory Database • Updated Jan 16, 2026
Package
pip apache-airflow (pip)
Affected versions
>= 3.1.0, < 3.1.6
Description
Published to the GitHub Advisory Database
Jan 16, 2026
Last updated
Jan 16, 2026