Multiple vulnerabilities in Apache Airflow versions before 3.1.6 put sensitive data at risk. Two main issues involve improper masking of credentials in logs and user interfaces, exposing proxy credentials and database secrets. These vulnerabilities can be exploited by anyone with read access to the logs or the web interface, leading to potential credential theft and unauthorized access to sensitive workflows. The first vulnerability, identified as CVE-2025-68675, affects versions prior to 3.1.6. It allows attackers to extract proxy credentials from task logs. This poses a significant threat for organizations that rely on proxy-authenticated connections, as compromised credentials could enable interception of network traffic. The second vulnerability, CVE-2025-68438, affects versions from 3.1.0 to 3.1.6. It occurs when templated fields exceed a set length, leading to incomplete masking of sensitive information like API keys or database passwords in the user interface. Both vulnerabilities require authentication but represent risks of insider threats and lateral movement within networks. Organizations with strict log retention policies may face extended exposure if leaked credentials remain accessible in archived logs. The recent release of Apache Airflow 3.1.6 addresses these vulnerabilities by properly marking sensitive fields and ensuring that masking patterns are applied before data gets truncated. Users are strongly advised to upgrade immediately or implement tighter access controls as a temporary fix.