The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-27555

CVE-2025-27555: Apache Airflow Information Disclosure Flaw

CVE-2025-27555 is an information disclosure vulnerability in Apache Airflow that exposes sensitive connection parameters in audit logs. This article covers the technical details, affected versions, and remediation steps.

Published: February 27, 2026

CVE-2025-27555 Overview

CVE-2025-27555 is an Information Exposure vulnerability affecting Apache Airflow versions prior to 2.11.1. This flaw allows authenticated users with audit log access to view sensitive connection parameters that should remain protected. When administrators configure sensitive connection parameters via the Airflow CLI, these values are inadvertently recorded in audit logs and stored unencrypted in the Airflow database, potentially exposing credentials and other sensitive configuration data to unauthorized viewing.

Critical Impact

Authenticated users with audit log access can view sensitive connection parameters including credentials, API keys, and other confidential configuration values stored unencrypted in the database.

Affected Products

  • Apache Airflow versions prior to 2.11.1
  • Airflow installations where connections were configured via CLI
  • Environments with multi-user audit log access

Discovery Timeline

  • 2026-02-24 - CVE-2025-27555 published to NVD
  • 2026-02-24 - Last updated in NVD database

Technical Details for CVE-2025-27555

Vulnerability Analysis

This vulnerability falls under CWE-201 (Insertion of Sensitive Information Into Sent Data) and CWE-532 (Insertion of Sensitive Information into Log File). The core issue lies in how Apache Airflow handles sensitive connection parameters when configured through the command-line interface.

When administrators use the Airflow CLI to set up connections containing sensitive values such as database passwords, API keys, or authentication tokens, the application fails to properly redact these values before writing them to the audit log. This results in plaintext sensitive data being stored in the database's audit log table, accessible to any authenticated user with permission to view audit logs.

This vulnerability is related to but distinct from CVE-2024-50378, indicating a pattern of sensitive data handling issues within the Airflow audit logging subsystem.

Root Cause

The root cause stems from insufficient input sanitization in the audit logging mechanism. When CLI commands are executed to configure connections, the logging function captures the full command including all parameters without applying redaction rules for sensitive fields. The sensitive values are then persisted to the database in cleartext, bypassing any encryption or masking that might be applied to the connection storage itself.

Attack Vector

An attacker exploiting this vulnerability would need:

  1. Valid authentication credentials for the Apache Airflow instance
  2. Permissions to access the audit log functionality
  3. Knowledge that sensitive connections were configured via CLI

Once these conditions are met, the attacker can browse historical audit logs to discover sensitive connection parameters that were set by administrators, potentially gaining access to database credentials, cloud service API keys, or other sensitive authentication material.

The vulnerability requires network access to the Airflow web interface and authenticated low-privilege access, but does not require any user interaction to exploit. Successful exploitation results in confidentiality breach through exposure of sensitive configuration data.

Detection Methods for CVE-2025-27555

Indicators of Compromise

  • Unusual or excessive audit log access patterns by non-administrator users
  • Queries or exports of audit log tables containing connection-related entries
  • Access to audit log endpoints from unexpected IP addresses or user accounts
  • Database queries targeting the log table with filters for connection-related commands

Detection Strategies

  • Monitor access patterns to audit log endpoints for anomalous behavior
  • Implement alerting on bulk audit log queries or exports
  • Review database access logs for direct queries against audit/log tables
  • Audit user permissions to identify over-privileged accounts with unnecessary audit log access

Monitoring Recommendations

  • Enable detailed access logging for the Airflow web interface, particularly audit log pages
  • Configure alerts for audit log access by users outside the security operations team
  • Implement periodic review of users with audit log permissions
  • Monitor for CLI command execution patterns that may indicate connection configuration activity

How to Mitigate CVE-2025-27555

Immediate Actions Required

  • Upgrade Apache Airflow to version 2.11.1 or later immediately
  • Review and restrict audit log access permissions to essential personnel only
  • Manually audit the log table for entries containing sensitive connection values
  • Rotate any credentials that may have been exposed in audit logs
  • Consider using environment variables or secrets backends instead of CLI for sensitive connections

Patch Information

Apache has addressed this vulnerability in Airflow version 2.11.1. The fix implements proper redaction of sensitive connection parameters before they are written to audit logs. Organizations should upgrade to 2.11.1 or later to receive this security fix.

For additional details, refer to the Apache Mailing List Discussion and the GitHub Pull Request containing the fix.

Workarounds

  • Restrict audit log access permissions to minimize the number of users who can view potentially exposed data
  • Manually delete audit log entries containing sensitive connection values from the log table
  • Configure connections using the web UI or secrets backends rather than CLI to avoid logging sensitive values
  • Implement database-level encryption for the audit log table as an additional layer of protection
  • Consider deploying a Web Application Firewall (WAF) to monitor and restrict access to audit log endpoints
bash
# Configuration example - Delete sensitive entries from audit logs
# WARNING: Backup your database before running cleanup queries

# Connect to your Airflow database and identify sensitive entries
airflow db shell

# Query to identify potentially sensitive audit log entries (example for PostgreSQL)
# SELECT * FROM log WHERE event LIKE '%connection%' AND dttm < '2026-02-24';

# After identifying entries, delete them carefully
# DELETE FROM log WHERE id IN (SELECT id FROM log WHERE event LIKE '%connection%password%');

# Rotate credentials after cleanup
airflow connections delete <connection_id>
airflow connections add <connection_id> --conn-uri <new_sanitized_uri>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeInformation Disclosure
  • Vendor/TechApache Airflow
  • SeverityMEDIUM
  • CVSS Score6.5
  • EPSS Probability0.03%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-201
  • CWE-532
  • Technical References
  • GitHub Pull Request Update
  • Vendor Resources
  • Apache Mailing List Discussion
  • Related CVEs
  • CVE-2026-32794: Apache Airflow Databricks Provider Flaw
  • CVE-2026-28563: Apache Airflow Info Disclosure Flaw
  • CVE-2025-65995: Apache Airflow Information Disclosure Flaw
  • CVE-2026-24098: Apache Airflow Information Disclosure Flaw
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English