Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-typh-t13h-w3g1
Vulnerability ID VCID-typh-t13h-w3g1
Aliases BIT-airflow-2025-66236
CVE-2025-66236
GHSA-j86x-fwp2-qh7v
PYSEC-2026-8
Summary Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enough, even though Airflow's intentions and security model of Airflow did not suggest different assumptions. The overall security model [1], workload isolation [2], and JWT authentication details [3] are now described in more detail. Users concerned with role isolation and following the Airflow security model of Airflow are advised to upgrade to Airflow 3.2, where several security improvements have been implemented. They should also read and follow the relevant documents to make sure that their deployment is secure enough. It also clarifies that the Deployment Manager is ultimately responsible for securing your Airflow deployment. This had also been communicated via Airflow 3.2.0 Blog announcement [4]. [1] Security Model: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html [2] Workload isolation: https://airflow.apache.org/docs/apache-airflow/stable/security/workload.html [3] JWT Token authentication: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html [4] Airflow 3.2.0 Blog announcement: https://airflow.apache.org/blog/airflow-3.2.0/ Users are recommended to upgrade to version 3.2.0, which fixes this issue.
Status Published
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-532 Insertion of Sensitive Information into Log File
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv4 5.3 https://airflow.apache.org/blog/airflow-3.2.0
generic_textual MODERATE https://airflow.apache.org/blog/airflow-3.2.0
epss 0.00095 https://api.first.org/data/v1/epss?cve=CVE-2025-66236
epss 0.00095 https://api.first.org/data/v1/epss?cve=CVE-2025-66236
epss 0.00095 https://api.first.org/data/v1/epss?cve=CVE-2025-66236
cvssv3.1 7.5 https://github.com/advisories/GHSA-j86x-fwp2-qh7v
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-j86x-fwp2-qh7v
cvssv4 5.3 https://github.com/apache/airflow
generic_textual MODERATE https://github.com/apache/airflow
cvssv3.1 7.5 https://github.com/apache/airflow/pull/58662
cvssv4 5.3 https://github.com/apache/airflow/pull/58662
generic_textual MODERATE https://github.com/apache/airflow/pull/58662
ssvc Track https://github.com/apache/airflow/pull/58662
cvssv4 5.3 https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-8.yaml
generic_textual MODERATE https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-8.yaml
cvssv3.1 7.5 https://lists.apache.org/thread/g8fyy1tkmxkkfk7tx2v6h8mvwzpyykbo
cvssv4 5.3 https://lists.apache.org/thread/g8fyy1tkmxkkfk7tx2v6h8mvwzpyykbo
generic_textual MODERATE https://lists.apache.org/thread/g8fyy1tkmxkkfk7tx2v6h8mvwzpyykbo
ssvc Track https://lists.apache.org/thread/g8fyy1tkmxkkfk7tx2v6h8mvwzpyykbo
cvssv4 5.3 https://nvd.nist.gov/vuln/detail/CVE-2025-66236
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-66236
cvssv3.1 7.5 http://www.openwall.com/lists/oss-security/2026/04/13/6
cvssv4 5.3 http://www.openwall.com/lists/oss-security/2026/04/13/6
generic_textual MODERATE http://www.openwall.com/lists/oss-security/2026/04/13/6
Reference id Reference type URL
https://airflow.apache.org/blog/airflow-3.2.0
https://api.first.org/data/v1/epss?cve=CVE-2025-66236
https://github.com/advisories/GHSA-j86x-fwp2-qh7v
https://github.com/apache/airflow
https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-8.yaml
https://nvd.nist.gov/vuln/detail/CVE-2025-66236
http://www.openwall.com/lists/oss-security/2026/04/13/6
58662 https://github.com/apache/airflow/pull/58662
g8fyy1tkmxkkfk7tx2v6h8mvwzpyykbo https://lists.apache.org/thread/g8fyy1tkmxkkfk7tx2v6h8mvwzpyykbo
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://airflow.apache.org/blog/airflow-3.2.0
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/advisories/GHSA-j86x-fwp2-qh7v
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/apache/airflow
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/apache/airflow/pull/58662
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/apache/airflow/pull/58662
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T19:20:26Z/ Found at https://github.com/apache/airflow/pull/58662
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-8.yaml
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://lists.apache.org/thread/g8fyy1tkmxkkfk7tx2v6h8mvwzpyykbo
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://lists.apache.org/thread/g8fyy1tkmxkkfk7tx2v6h8mvwzpyykbo
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T19:20:26Z/ Found at https://lists.apache.org/thread/g8fyy1tkmxkkfk7tx2v6h8mvwzpyykbo
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-66236
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://www.openwall.com/lists/oss-security/2026/04/13/6
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at http://www.openwall.com/lists/oss-security/2026/04/13/6
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.26331
EPSS Score 0.00095
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:59:45.377761+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2025/66xxx/CVE-2025-66236.json 38.6.0