What is GHSA-3qmm-r55x-hpxx?

GHSA-3qmm-r55x-hpxx is a security advisory published by GitHub Security Advisories with High severity. Apache Airflow secrets in rendered templates could contain parts of sensitive values when truncated

Which CVE IDs does GHSA-3qmm-r55x-hpxx cover?

GHSA-3qmm-r55x-hpxx covers the following CVE IDs: CVE-2025-68438. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-3qmm-r55x-hpxx?

GHSA-3qmm-r55x-hpxx has a CVSS v3 base score of 7.5, published by GitHub Security Advisories.

Which products are affected by GHSA-3qmm-r55x-hpxx?

GHSA-3qmm-r55x-hpxx affects 1 product, including: pip/apache-airflow:\u003e= 3.1.0, \u003c 3.1.6.

GHSA-3qmm-r55x-hpxxHighCVSS 7.5

Apache Airflow secrets in rendered templates could contain parts of sensitive values when truncated

Vendor

GitHub Security Advisories

Published

January 16, 2026

Last Modified

June 5, 2026

🔗 CVE IDs covered (1)

CVE-2025-68438 →

📋 Description

In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display.

Users are recommended to upgrade to 3.1.6 or later, which fixes this issue

🎯 Affected products1

pip/apache-airflow:>= 3.1.0, < 3.1.6

🔗 References (5)

https://nvd.nist.gov/vuln/detail/CVE-2025-68438
https://lists.apache.org/thread/55n7b4nlsz3vo5n4h5lrj9bfsk8ctyff
http://www.openwall.com/lists/oss-security/2026/01/15/5
https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-9.yaml
https://github.com/advisories/GHSA-3qmm-r55x-hpxx