Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/apache-airflow@2.8.1rc1
Typepypi
Namespace
Nameapache-airflow
Version2.8.1rc1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.2.2
Latest_non_vulnerable_version3.2.2
Affected_by_vulnerabilities
0
url VCID-1w96-f72k-ryap
vulnerability_id VCID-1w96-f72k-ryap
summary A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack — e.g. `/etc/passwd` or `airflow.cfg`) or (b) supply a `task_id` containing `..` sequences accepted by the Task SDK's `KEY_REGEX` (write-path attack), and in both cases the FileTaskHandler resolves the log path outside the configured `base_log_folder`, leaking or overwriting arbitrary files. Only affects deployments where the worker log folder is shared with the API server. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deploy the worker and API server with separate log volumes so that worker-controlled paths cannot reach the API server's filesystem.
references
0
reference_url https://github.com/apache/airflow/pull/65325
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://github.com/apache/airflow/pull/65325
1
reference_url https://lists.apache.org/thread/823334db2559xjlwt59gpzjz47thnscl
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://lists.apache.org/thread/823334db2559xjlwt59gpzjz47thnscl
2
reference_url http://www.openwall.com/lists/oss-security/2026/05/31/1
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url http://www.openwall.com/lists/oss-security/2026/05/31/1
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.2
purl pkg:pypi/apache-airflow@3.2.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.2
aliases CVE-2026-40861, PYSEC-2026-181
risk_score 3.0
exploitability 0.5
weighted_severity 5.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1w96-f72k-ryap
1
url VCID-2xr2-w3hk-auck
vulnerability_id VCID-2xr2-w3hk-auck
summary 
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.

Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/pull/61641
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/pull/61641
2
reference_url https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwlv4hq3po
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwlv4hq3po
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25917
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25917
4
reference_url http://www.openwall.com/lists/oss-security/2026/04/17/9
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/04/17/9
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.0
purl pkg:pypi/apache-airflow@3.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2zj7-8yhg-8qen
2
vulnerability VCID-4nax-1d7y-1kbh
3
vulnerability VCID-5jyk-dgtu-zfhd
4
vulnerability VCID-9ru4-qyks-hybs
5
vulnerability VCID-dhj9-usjr-nbfe
6
vulnerability VCID-djdy-z9r3-s3a2
7
vulnerability VCID-dzfs-e5ys-fbhz
8
vulnerability VCID-ej1r-mp6n-gudd
9
vulnerability VCID-frvt-ng4a-jqfh
10
vulnerability VCID-pu6f-xhvm-q3du
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0
aliases CVE-2026-25917, GHSA-6ffj-2wg2-w45j, PYSEC-2026-13
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2xr2-w3hk-auck
2
url VCID-4ga6-4111-dyc9
vulnerability_id VCID-4ga6-4111-dyc9
summary Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/8d76538d6e105947272b000581c6fabec20146b1
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/8d76538d6e105947272b000581c6fabec20146b1
2
reference_url https://github.com/apache/airflow/pull/36257
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/pull/36257
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-14.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-14.yaml
4
reference_url https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h
5
reference_url http://www.openwall.com/lists/oss-security/2024/01/24/5
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2024/01/24/5
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-50944
reference_id CVE-2023-50944
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-50944
7
reference_url https://github.com/advisories/GHSA-vm5m-qmrx-fw8w
reference_id GHSA-vm5m-qmrx-fw8w
reference_type
scores
url https://github.com/advisories/GHSA-vm5m-qmrx-fw8w
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.1
purl pkg:pypi/apache-airflow@2.8.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-56eq-awhd-d3fr
3
vulnerability VCID-5jyk-dgtu-zfhd
4
vulnerability VCID-6vg9-hu9u-q7c3
5
vulnerability VCID-835a-arqz-g7h7
6
vulnerability VCID-91n6-evww-zybp
7
vulnerability VCID-a64u-53x6-dfge
8
vulnerability VCID-dh4r-77xc-cbas
9
vulnerability VCID-djdy-z9r3-s3a2
10
vulnerability VCID-e5dn-tpzy-qqec
11
vulnerability VCID-ej1r-mp6n-gudd
12
vulnerability VCID-mcbu-b45m-k3ck
13
vulnerability VCID-pu6f-xhvm-q3du
14
vulnerability VCID-t3ap-dzfp-1bd6
15
vulnerability VCID-u5wv-47m4-8yd6
16
vulnerability VCID-x9ns-34nt-gfer
17
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1
aliases CVE-2023-50944, GHSA-vm5m-qmrx-fw8w, PYSEC-2024-14
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4ga6-4111-dyc9
3
url VCID-56eq-awhd-d3fr
vulnerability_id VCID-56eq-awhd-d3fr
summary 
Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. 
Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/03e01e76d2203d37aa645096df195b4328665f6d
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/03e01e76d2203d37aa645096df195b4328665f6d
2
reference_url https://github.com/apache/airflow/pull/41672
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/pull/41672
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-212.yaml
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-212.yaml
4
reference_url https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx
5
reference_url http://www.openwall.com/lists/oss-security/2024/09/06/3
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2024/09/06/3
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-45034
reference_id CVE-2024-45034
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-45034
7
reference_url https://github.com/advisories/GHSA-92xg-gmrq-5c3w
reference_id GHSA-92xg-gmrq-5c3w
reference_type
scores
url https://github.com/advisories/GHSA-92xg-gmrq-5c3w
fixed_packages
0
url pkg:pypi/apache-airflow@2.10.1
purl pkg:pypi/apache-airflow@2.10.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-5jyk-dgtu-zfhd
3
vulnerability VCID-91n6-evww-zybp
4
vulnerability VCID-dh4r-77xc-cbas
5
vulnerability VCID-djdy-z9r3-s3a2
6
vulnerability VCID-ej1r-mp6n-gudd
7
vulnerability VCID-pu6f-xhvm-q3du
8
vulnerability VCID-t3ap-dzfp-1bd6
9
vulnerability VCID-u5wv-47m4-8yd6
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.1
aliases CVE-2024-45034, GHSA-92xg-gmrq-5c3w, PYSEC-2024-212
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-56eq-awhd-d3fr
4
url VCID-5jyk-dgtu-zfhd
vulnerability_id VCID-5jyk-dgtu-zfhd
summary Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — the default on single-host deployments where the DAG bundle is importable from the scheduler process — could embed a custom `DeadlineReference` whose serialized form named an attacker-controlled module path, causing the scheduler to `import_string(...)` and instantiate that class with a live SQLAlchemy session attached. Affects deployments where DAG-author code is less trusted than the scheduler process. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
references
0
reference_url https://github.com/apache/airflow/pull/66737
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://github.com/apache/airflow/pull/66737
1
reference_url https://lists.apache.org/thread/q227dghjwgfz8xsxrf2pwpz4wk43zm83
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://lists.apache.org/thread/q227dghjwgfz8xsxrf2pwpz4wk43zm83
2
reference_url http://www.openwall.com/lists/oss-security/2026/05/31/12
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
url http://www.openwall.com/lists/oss-security/2026/05/31/12
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.2
purl pkg:pypi/apache-airflow@3.2.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.2
aliases CVE-2026-45360, PYSEC-2026-186
risk_score 3.3
exploitability 0.5
weighted_severity 6.6
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5jyk-dgtu-zfhd
5
url VCID-6vg9-hu9u-q7c3
vulnerability_id VCID-6vg9-hu9u-q7c3
summary 
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.

Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/08d25607abe8593ecb90a84e338896bb79692d7b
reference_id
reference_type
scores
0
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/08d25607abe8593ecb90a84e338896bb79692d7b
2
reference_url https://github.com/apache/airflow/commit/0a95299691e2d6a9b874adfae94d246a7f681ec9
reference_id
reference_type
scores
0
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/0a95299691e2d6a9b874adfae94d246a7f681ec9
3
reference_url https://github.com/apache/airflow/commit/2adbe882e68df0e2b1084bc869616bb01e416aa7
reference_id
reference_type
scores
0
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/2adbe882e68df0e2b1084bc869616bb01e416aa7
4
reference_url https://github.com/apache/airflow/commit/2cb6027280bcf5e2b561f3ee7f55980f6ec4cc3a
reference_id
reference_type
scores
0
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/2cb6027280bcf5e2b561f3ee7f55980f6ec4cc3a
5
reference_url https://github.com/apache/airflow/commit/90255d9d44a649025f588497f6c82177dad48326
reference_id
reference_type
scores
0
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/90255d9d44a649025f588497f6c82177dad48326
6
reference_url https://github.com/apache/airflow/commit/9c4defa08268322b9db80123a22d7b56b2063446
reference_id
reference_type
scores
0
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/9c4defa08268322b9db80123a22d7b56b2063446
7
reference_url https://github.com/apache/airflow/commit/a7fa258ba1c69a18e0f620499625f6026768dc24
reference_id
reference_type
scores
0
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/a7fa258ba1c69a18e0f620499625f6026768dc24
8
reference_url https://github.com/apache/airflow/commit/bc2646be043f71b4d1ab7eefd2af65a60bf919f2
reference_id
reference_type
scores
0
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/bc2646be043f71b4d1ab7eefd2af65a60bf919f2
9
reference_url https://github.com/apache/airflow/commit/d944eb0de216d9e1d125fae5ce4af7440154deb4
reference_id
reference_type
scores
0
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/d944eb0de216d9e1d125fae5ce4af7440154deb4
10
reference_url https://github.com/apache/airflow/pull/37290
reference_id
reference_type
scores
0
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/pull/37290
11
reference_url https://github.com/apache/airflow/pull/37468
reference_id
reference_type
scores
0
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/pull/37468
12
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-245.yaml
reference_id
reference_type
scores
0
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-245.yaml
13
reference_url https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5
reference_id
reference_type
scores
0
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5
14
reference_url http://www.openwall.com/lists/oss-security/2024/02/29/1
reference_id
reference_type
scores
0
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2024/02/29/1
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-27906
reference_id CVE-2024-27906
reference_type
scores
0
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-27906
16
reference_url https://github.com/advisories/GHSA-6v6w-h8m6-7mv2
reference_id GHSA-6v6w-h8m6-7mv2
reference_type
scores
url https://github.com/advisories/GHSA-6v6w-h8m6-7mv2
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.2
purl pkg:pypi/apache-airflow@2.8.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-56eq-awhd-d3fr
3
vulnerability VCID-5jyk-dgtu-zfhd
4
vulnerability VCID-91n6-evww-zybp
5
vulnerability VCID-a64u-53x6-dfge
6
vulnerability VCID-dh4r-77xc-cbas
7
vulnerability VCID-djdy-z9r3-s3a2
8
vulnerability VCID-e5dn-tpzy-qqec
9
vulnerability VCID-egd2-gh55-qfgj
10
vulnerability VCID-ej1r-mp6n-gudd
11
vulnerability VCID-mcbu-b45m-k3ck
12
vulnerability VCID-pu6f-xhvm-q3du
13
vulnerability VCID-t3ap-dzfp-1bd6
14
vulnerability VCID-u5wv-47m4-8yd6
15
vulnerability VCID-x9ns-34nt-gfer
16
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.2
aliases CVE-2024-27906, GHSA-6v6w-h8m6-7mv2, PYSEC-2024-245
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6vg9-hu9u-q7c3
6
url VCID-835a-arqz-g7h7
vulnerability_id VCID-835a-arqz-g7h7
summary 
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.

Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/1a96407cd2d76616c1137de288f092d4f3b097fa
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/1a96407cd2d76616c1137de288f092d4f3b097fa
2
reference_url https://github.com/apache/airflow/commit/7f10998c17ab9d725bc8671deb4c12d672bfba99
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/7f10998c17ab9d725bc8671deb4c12d672bfba99
3
reference_url https://github.com/apache/airflow/commit/8324c87e05741e5a673c43b315619a3788bacc2e
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/8324c87e05741e5a673c43b315619a3788bacc2e
4
reference_url https://github.com/apache/airflow/commit/8463ee4f25114a6c5fb2408d6026afe94bdf106d
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/8463ee4f25114a6c5fb2408d6026afe94bdf106d
5
reference_url https://github.com/apache/airflow/commit/f2ea8a3e1753012bfe0d529c9c8be66cf55ca28f
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/f2ea8a3e1753012bfe0d529c9c8be66cf55ca28f
6
reference_url https://github.com/apache/airflow/commit/f4b9cc74976b7df1acbc3c63471b5751b3e2c40c
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/f4b9cc74976b7df1acbc3c63471b5751b3e2c40c
7
reference_url https://github.com/apache/airflow/pull/37501
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/pull/37501
8
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-42.yaml
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-42.yaml
9
reference_url https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh
10
reference_url http://www.openwall.com/lists/oss-security/2024/03/01/1
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2024/03/01/1
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-26280
reference_id CVE-2024-26280
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-26280
12
reference_url https://github.com/advisories/GHSA-6xwf-xvf3-v459
reference_id GHSA-6xwf-xvf3-v459
reference_type
scores
url https://github.com/advisories/GHSA-6xwf-xvf3-v459
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.2
purl pkg:pypi/apache-airflow@2.8.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-56eq-awhd-d3fr
3
vulnerability VCID-5jyk-dgtu-zfhd
4
vulnerability VCID-91n6-evww-zybp
5
vulnerability VCID-a64u-53x6-dfge
6
vulnerability VCID-dh4r-77xc-cbas
7
vulnerability VCID-djdy-z9r3-s3a2
8
vulnerability VCID-e5dn-tpzy-qqec
9
vulnerability VCID-egd2-gh55-qfgj
10
vulnerability VCID-ej1r-mp6n-gudd
11
vulnerability VCID-mcbu-b45m-k3ck
12
vulnerability VCID-pu6f-xhvm-q3du
13
vulnerability VCID-t3ap-dzfp-1bd6
14
vulnerability VCID-u5wv-47m4-8yd6
15
vulnerability VCID-x9ns-34nt-gfer
16
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.2
aliases CVE-2024-26280, GHSA-6xwf-xvf3-v459, PYSEC-2024-42
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-835a-arqz-g7h7
7
url VCID-91n6-evww-zybp
vulnerability_id VCID-91n6-evww-zybp
summary In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/pull/63028
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/pull/63028
2
reference_url https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5x80w8r9
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5x80w8r9
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-30912
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-30912
4
reference_url http://www.openwall.com/lists/oss-security/2026/04/17/5
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/04/17/5
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.0
purl pkg:pypi/apache-airflow@3.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2zj7-8yhg-8qen
2
vulnerability VCID-4nax-1d7y-1kbh
3
vulnerability VCID-5jyk-dgtu-zfhd
4
vulnerability VCID-9ru4-qyks-hybs
5
vulnerability VCID-dhj9-usjr-nbfe
6
vulnerability VCID-djdy-z9r3-s3a2
7
vulnerability VCID-dzfs-e5ys-fbhz
8
vulnerability VCID-ej1r-mp6n-gudd
9
vulnerability VCID-frvt-ng4a-jqfh
10
vulnerability VCID-pu6f-xhvm-q3du
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0
aliases CVE-2026-30912, GHSA-w7cf-2pmc-5m4c, PYSEC-2026-18
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-91n6-evww-zybp
8
url VCID-a64u-53x6-dfge
vulnerability_id VCID-a64u-53x6-dfge
summary Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/8159f6e24704f5e0e3b3217cf79ecf5083dce531
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/8159f6e24704f5e0e3b3217cf79ecf5083dce531
2
reference_url https://github.com/apache/airflow/pull/40522
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/pull/40522
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-190.yaml
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-190.yaml
4
reference_url https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1
5
reference_url http://www.openwall.com/lists/oss-security/2024/07/16/7
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2024/07/16/7
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-39877
reference_id CVE-2024-39877
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-39877
7
reference_url https://github.com/advisories/GHSA-g5hv-r743-v8pm
reference_id GHSA-g5hv-r743-v8pm
reference_type
scores
url https://github.com/advisories/GHSA-g5hv-r743-v8pm
fixed_packages
0
url pkg:pypi/apache-airflow@2.9.3
purl pkg:pypi/apache-airflow@2.9.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-56eq-awhd-d3fr
3
vulnerability VCID-5jyk-dgtu-zfhd
4
vulnerability VCID-91n6-evww-zybp
5
vulnerability VCID-dh4r-77xc-cbas
6
vulnerability VCID-djdy-z9r3-s3a2
7
vulnerability VCID-ej1r-mp6n-gudd
8
vulnerability VCID-mcbu-b45m-k3ck
9
vulnerability VCID-pu6f-xhvm-q3du
10
vulnerability VCID-t3ap-dzfp-1bd6
11
vulnerability VCID-u5wv-47m4-8yd6
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.3
aliases CVE-2024-39877, GHSA-g5hv-r743-v8pm, PYSEC-2024-190
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a64u-53x6-dfge
9
url VCID-amac-hqnj-xfgz
vulnerability_id VCID-amac-hqnj-xfgz
summary Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/2c4c5bc604e9ab0cc1e98f7bee7d31d566579462
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/2c4c5bc604e9ab0cc1e98f7bee7d31d566579462
2
reference_url https://github.com/apache/airflow/pull/36255
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/pull/36255
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-13.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-13.yaml
4
reference_url https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn
5
reference_url http://www.openwall.com/lists/oss-security/2024/01/24/4
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2024/01/24/4
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-50943
reference_id CVE-2023-50943
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-50943
7
reference_url https://github.com/advisories/GHSA-c3c6-f2ww-xfr2
reference_id GHSA-c3c6-f2ww-xfr2
reference_type
scores
url https://github.com/advisories/GHSA-c3c6-f2ww-xfr2
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.1
purl pkg:pypi/apache-airflow@2.8.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-56eq-awhd-d3fr
3
vulnerability VCID-5jyk-dgtu-zfhd
4
vulnerability VCID-6vg9-hu9u-q7c3
5
vulnerability VCID-835a-arqz-g7h7
6
vulnerability VCID-91n6-evww-zybp
7
vulnerability VCID-a64u-53x6-dfge
8
vulnerability VCID-dh4r-77xc-cbas
9
vulnerability VCID-djdy-z9r3-s3a2
10
vulnerability VCID-e5dn-tpzy-qqec
11
vulnerability VCID-ej1r-mp6n-gudd
12
vulnerability VCID-mcbu-b45m-k3ck
13
vulnerability VCID-pu6f-xhvm-q3du
14
vulnerability VCID-t3ap-dzfp-1bd6
15
vulnerability VCID-u5wv-47m4-8yd6
16
vulnerability VCID-x9ns-34nt-gfer
17
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1
aliases CVE-2023-50943, GHSA-c3c6-f2ww-xfr2, PYSEC-2024-13
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-amac-hqnj-xfgz
10
url VCID-dh4r-77xc-cbas
vulnerability_id VCID-dh4r-77xc-cbas
summary 
Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider.

This issue affects Apache Airflow Sqoop Provider versions before 3.1.1.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-25693
reference_id
reference_type
scores
0
value 0.03621
scoring_system epss
scoring_elements 0.88009
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-25693
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/pull/29500
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/pull/29500
3
reference_url https://lists.apache.org/thread/79qn8g5xbq036f8crb115obvr22l52q4
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/79qn8g5xbq036f8crb115obvr22l52q4
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-25693
reference_id CVE-2023-25693
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-25693
5
reference_url https://github.com/advisories/GHSA-j69x-v4wc-3fpf
reference_id GHSA-j69x-v4wc-3fpf
reference_type
scores
url https://github.com/advisories/GHSA-j69x-v4wc-3fpf
fixed_packages
0
url pkg:pypi/apache-airflow@3.1.1
purl pkg:pypi/apache-airflow@3.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2b14-1bp2-gua6
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-5hxx-r2d2-9ybk
4
vulnerability VCID-5jyk-dgtu-zfhd
5
vulnerability VCID-91n6-evww-zybp
6
vulnerability VCID-9j1n-cypf-p7g5
7
vulnerability VCID-9ru4-qyks-hybs
8
vulnerability VCID-dhj9-usjr-nbfe
9
vulnerability VCID-djdy-z9r3-s3a2
10
vulnerability VCID-dzfs-e5ys-fbhz
11
vulnerability VCID-ej1r-mp6n-gudd
12
vulnerability VCID-etmw-7eq5-mqa2
13
vulnerability VCID-ezmu-8g1y-e3hz
14
vulnerability VCID-geg4-1kgh-akde
15
vulnerability VCID-hkwf-65vr-dkfz
16
vulnerability VCID-knrd-atwy-gubn
17
vulnerability VCID-pu6f-xhvm-q3du
18
vulnerability VCID-snqz-3f8t-syhd
19
vulnerability VCID-t3ap-dzfp-1bd6
20
vulnerability VCID-tbb9-myv7-a7h4
21
vulnerability VCID-w56f-fmkf-dkfv
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.1
aliases CVE-2023-25693, GHSA-j69x-v4wc-3fpf, PYSEC-2023-314
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dh4r-77xc-cbas
11
url VCID-djdy-z9r3-s3a2
vulnerability_id VCID-djdy-z9r3-s3a2
summary A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying `revoke_token()` call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user. Affects deployments configured with `FabAuthManager` or `KeycloakAuthManager` (the bug does not affect SimpleAuthManager). This is a residual gap in the fix for CVE-2025-57735, which addressed cookie-side invalidation in PR #57992 / PR #61339 but did not cover the provider-side `revoke_token()` reachability in the FAB / Keycloak code paths. Users who already upgraded for CVE-2025-57735 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the FAB / Keycloak logout paths.
references
0
reference_url https://github.com/apache/airflow/pull/67289
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://github.com/apache/airflow/pull/67289
1
reference_url https://lists.apache.org/thread/630jg4z6cjkv4m2yv2ljgmf1zhdj1vqx
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://lists.apache.org/thread/630jg4z6cjkv4m2yv2ljgmf1zhdj1vqx
2
reference_url https://www.cve.org/CVERecord?id=CVE-2025-57735
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://www.cve.org/CVERecord?id=CVE-2025-57735
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.2
purl pkg:pypi/apache-airflow@3.2.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.2
aliases CVE-2026-48726, PYSEC-2026-187
risk_score 3.0
exploitability 0.5
weighted_severity 5.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-djdy-z9r3-s3a2
12
url VCID-e5dn-tpzy-qqec
vulnerability_id VCID-e5dn-tpzy-qqec
summary 
Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access. 

Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/89e7f3e7bdf2126bbbcd959dc10d65ef92773cca
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/89e7f3e7bdf2126bbbcd959dc10d65ef92773cca
2
reference_url https://github.com/apache/airflow/pull/37881
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/pull/37881
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-46.yaml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-46.yaml
4
reference_url https://lists.apache.org/thread/b4pffc7w7do6qgk4jjbyxvdz5odrvny7
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/b4pffc7w7do6qgk4jjbyxvdz5odrvny7
5
reference_url http://www.openwall.com/lists/oss-security/2024/03/13/5
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2024/03/13/5
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-28746
reference_id CVE-2024-28746
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-28746
7
reference_url https://github.com/advisories/GHSA-h574-6646-vfxx
reference_id GHSA-h574-6646-vfxx
reference_type
scores
url https://github.com/advisories/GHSA-h574-6646-vfxx
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.3rc1
purl pkg:pypi/apache-airflow@2.8.3rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-56eq-awhd-d3fr
3
vulnerability VCID-5jyk-dgtu-zfhd
4
vulnerability VCID-91n6-evww-zybp
5
vulnerability VCID-a64u-53x6-dfge
6
vulnerability VCID-dh4r-77xc-cbas
7
vulnerability VCID-djdy-z9r3-s3a2
8
vulnerability VCID-ej1r-mp6n-gudd
9
vulnerability VCID-mcbu-b45m-k3ck
10
vulnerability VCID-pu6f-xhvm-q3du
11
vulnerability VCID-t3ap-dzfp-1bd6
12
vulnerability VCID-u5wv-47m4-8yd6
13
vulnerability VCID-x9ns-34nt-gfer
14
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.3rc1
aliases CVE-2024-28746, GHSA-h574-6646-vfxx, PYSEC-2024-46
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e5dn-tpzy-qqec
13
url VCID-ej1r-mp6n-gudd
vulnerability_id VCID-ej1r-mp6n-gudd
summary A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenticated UI/API user with Connection-read permission to retrieve secrets stored in a Connection's `extra` JSON blob under field names not present in the redaction allowlist (`DEFAULT_SENSITIVE_FIELDS`) — for example, official Slack-provider credential field names were returned in plaintext. Affects deployments that store credentials in Connection `extra` blobs and grant Connection-read access to multiple users. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deployment operators can store sensitive credential values in a secret-backend rather than inlined into the Connection's `extra` field.
references
0
reference_url https://github.com/apache/airflow/pull/66673
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://github.com/apache/airflow/pull/66673
1
reference_url https://lists.apache.org/thread/r2q93dg2wp5h9sd9vh6y4y5ljqd9crdd
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://lists.apache.org/thread/r2q93dg2wp5h9sd9vh6y4y5ljqd9crdd
2
reference_url http://www.openwall.com/lists/oss-security/2026/06/01/3
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url http://www.openwall.com/lists/oss-security/2026/06/01/3
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.2
purl pkg:pypi/apache-airflow@3.2.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.2
aliases CVE-2026-45192, PYSEC-2026-173
risk_score 3.0
exploitability 0.5
weighted_severity 5.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ej1r-mp6n-gudd
14
url VCID-mcbu-b45m-k3ck
vulnerability_id VCID-mcbu-b45m-k3ck
summary 
Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link.
Users should upgrade to 2.10.0 or later, which fixes this vulnerability.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/f1852c2ab28b155e196569780013fbb61a4a1f98
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/f1852c2ab28b155e196569780013fbb61a4a1f98
2
reference_url https://github.com/apache/airflow/pull/40933
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/pull/40933
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-181.yaml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-181.yaml
4
reference_url https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d
5
reference_url http://www.openwall.com/lists/oss-security/2024/08/21/3
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2024/08/21/3
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-41937
reference_id CVE-2024-41937
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-41937
7
reference_url https://github.com/advisories/GHSA-w7cp-g8v7-r54m
reference_id GHSA-w7cp-g8v7-r54m
reference_type
scores
url https://github.com/advisories/GHSA-w7cp-g8v7-r54m
fixed_packages
0
url pkg:pypi/apache-airflow@2.10.0
purl pkg:pypi/apache-airflow@2.10.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-53rr-p2an-3bg9
3
vulnerability VCID-56eq-awhd-d3fr
4
vulnerability VCID-5jyk-dgtu-zfhd
5
vulnerability VCID-91n6-evww-zybp
6
vulnerability VCID-dh4r-77xc-cbas
7
vulnerability VCID-djdy-z9r3-s3a2
8
vulnerability VCID-ej1r-mp6n-gudd
9
vulnerability VCID-pu6f-xhvm-q3du
10
vulnerability VCID-t3ap-dzfp-1bd6
11
vulnerability VCID-u5wv-47m4-8yd6
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.0
aliases CVE-2024-41937, GHSA-w7cp-g8v7-r54m, PYSEC-2024-181
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mcbu-b45m-k3ck
15
url VCID-pu6f-xhvm-q3du
vulnerability_id VCID-pu6f-xhvm-q3du
summary A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. nested `password` / `token` / `secret` / `api_key` keys inside a JSON template structure) to be bypassed when the rendered field exceeded `[core] max_templated_field_length`: Airflow stringified the structure before redaction, losing the nested key context, and persisted the plaintext value into `rendered_fields`. An authenticated UI/API user with permission to read rendered template fields could harvest secret values intended to be masked. Affects deployments where Dag authors pass structured JSON to operators with nested sensitive keys. This is a variant of `CWE-200` previously addressed for the user-registered `mask_secret()` patterns in CVE-2025-68438; that fix did not cover the nested sensitive-keyword allowlist. Users who already upgraded for CVE-2025-68438 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the nested-key path.
references
0
reference_url https://github.com/apache/airflow/pull/65906
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://github.com/apache/airflow/pull/65906
1
reference_url https://lists.apache.org/thread/obj79bpxnl7r5olz1gsn0g94y88glnl4
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://lists.apache.org/thread/obj79bpxnl7r5olz1gsn0g94y88glnl4
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.2
purl pkg:pypi/apache-airflow@3.2.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.2
aliases CVE-2026-42360, PYSEC-2026-172
risk_score 3.0
exploitability 0.5
weighted_severity 5.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pu6f-xhvm-q3du
16
url VCID-t3ap-dzfp-1bd6
vulnerability_id VCID-t3ap-dzfp-1bd6
summary 
In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed.

Users are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/pull/59688
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/pull/59688
2
reference_url https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5
3
reference_url http://www.openwall.com/lists/oss-security/2026/01/15/6
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/01/15/6
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-68675
reference_id CVE-2025-68675
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-68675
5
reference_url https://github.com/advisories/GHSA-7c2f-r6gc-h92h
reference_id GHSA-7c2f-r6gc-h92h
reference_type
scores
url https://github.com/advisories/GHSA-7c2f-r6gc-h92h
fixed_packages
0
url pkg:pypi/apache-airflow@2.11.1
purl pkg:pypi/apache-airflow@2.11.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-5jyk-dgtu-zfhd
3
vulnerability VCID-91n6-evww-zybp
4
vulnerability VCID-dh4r-77xc-cbas
5
vulnerability VCID-djdy-z9r3-s3a2
6
vulnerability VCID-ej1r-mp6n-gudd
7
vulnerability VCID-pu6f-xhvm-q3du
8
vulnerability VCID-t3ap-dzfp-1bd6
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.11.1
1
url pkg:pypi/apache-airflow@3.1.6
purl pkg:pypi/apache-airflow@3.1.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2b14-1bp2-gua6
2
vulnerability VCID-2xr2-w3hk-auck
3
vulnerability VCID-5hxx-r2d2-9ybk
4
vulnerability VCID-5jyk-dgtu-zfhd
5
vulnerability VCID-91n6-evww-zybp
6
vulnerability VCID-9j1n-cypf-p7g5
7
vulnerability VCID-9ru4-qyks-hybs
8
vulnerability VCID-dhj9-usjr-nbfe
9
vulnerability VCID-djdy-z9r3-s3a2
10
vulnerability VCID-dzfs-e5ys-fbhz
11
vulnerability VCID-ej1r-mp6n-gudd
12
vulnerability VCID-etmw-7eq5-mqa2
13
vulnerability VCID-geg4-1kgh-akde
14
vulnerability VCID-hkwf-65vr-dkfz
15
vulnerability VCID-knrd-atwy-gubn
16
vulnerability VCID-pu6f-xhvm-q3du
17
vulnerability VCID-tbb9-myv7-a7h4
18
vulnerability VCID-w56f-fmkf-dkfv
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.6
aliases CVE-2025-68675, GHSA-7c2f-r6gc-h92h, PYSEC-2026-10
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t3ap-dzfp-1bd6
17
url VCID-u5wv-47m4-8yd6
vulnerability_id VCID-u5wv-47m4-8yd6
summary Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/pull/43040
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/pull/43040
2
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-182.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-182.yaml
3
reference_url https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h
4
reference_url http://www.openwall.com/lists/oss-security/2024/11/15/1
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2024/11/15/1
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-45784
reference_id CVE-2024-45784
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-45784
6
reference_url https://github.com/advisories/GHSA-46c3-5xc5-wwhv
reference_id GHSA-46c3-5xc5-wwhv
reference_type
scores
url https://github.com/advisories/GHSA-46c3-5xc5-wwhv
fixed_packages
0
url pkg:pypi/apache-airflow@2.10.3
purl pkg:pypi/apache-airflow@2.10.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-5jyk-dgtu-zfhd
3
vulnerability VCID-91n6-evww-zybp
4
vulnerability VCID-dh4r-77xc-cbas
5
vulnerability VCID-djdy-z9r3-s3a2
6
vulnerability VCID-ej1r-mp6n-gudd
7
vulnerability VCID-pu6f-xhvm-q3du
8
vulnerability VCID-t3ap-dzfp-1bd6
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.3
aliases CVE-2024-45784, GHSA-46c3-5xc5-wwhv, PYSEC-2024-182
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u5wv-47m4-8yd6
18
url VCID-x9ns-34nt-gfer
vulnerability_id VCID-x9ns-34nt-gfer
summary 
Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. 

Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser.

This issue affects Apache Airflow: before 2.9.2.

Users are recommended to upgrade to version 2.9.2, which fixes the issue.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/94eb647de692a4d9555b02dce85974da5d4c04e3
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/94eb647de692a4d9555b02dce85974da5d4c04e3
2
reference_url https://github.com/apache/airflow/pull/39550
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/pull/39550
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-195.yaml
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-195.yaml
4
reference_url https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr
5
reference_url http://www.openwall.com/lists/oss-security/2024/06/13/1
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2024/06/13/1
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-25142
reference_id CVE-2024-25142
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-25142
7
reference_url https://github.com/advisories/GHSA-9xpj-62mm-24h2
reference_id GHSA-9xpj-62mm-24h2
reference_type
scores
url https://github.com/advisories/GHSA-9xpj-62mm-24h2
fixed_packages
0
url pkg:pypi/apache-airflow@2.9.2
purl pkg:pypi/apache-airflow@2.9.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-56eq-awhd-d3fr
3
vulnerability VCID-5jyk-dgtu-zfhd
4
vulnerability VCID-91n6-evww-zybp
5
vulnerability VCID-a64u-53x6-dfge
6
vulnerability VCID-dh4r-77xc-cbas
7
vulnerability VCID-djdy-z9r3-s3a2
8
vulnerability VCID-ej1r-mp6n-gudd
9
vulnerability VCID-mcbu-b45m-k3ck
10
vulnerability VCID-pu6f-xhvm-q3du
11
vulnerability VCID-t3ap-dzfp-1bd6
12
vulnerability VCID-u5wv-47m4-8yd6
13
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.2
aliases CVE-2024-25142, GHSA-9xpj-62mm-24h2, PYSEC-2024-195
risk_score 2.5
exploitability 0.5
weighted_severity 5.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x9ns-34nt-gfer
19
url VCID-ydhm-m8vh-mber
vulnerability_id VCID-ydhm-m8vh-mber
summary Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/f18f48492dc69f392e45567580b6ddb0c070ea58
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/f18f48492dc69f392e45567580b6ddb0c070ea58
2
reference_url https://github.com/apache/airflow/pull/40475
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/pull/40475
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-189.yaml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-189.yaml
4
reference_url https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3
5
reference_url http://www.openwall.com/lists/oss-security/2024/07/16/6
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2024/07/16/6
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-39863
reference_id CVE-2024-39863
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-39863
7
reference_url https://github.com/advisories/GHSA-j482-47xf-p25c
reference_id GHSA-j482-47xf-p25c
reference_type
scores
url https://github.com/advisories/GHSA-j482-47xf-p25c
fixed_packages
0
url pkg:pypi/apache-airflow@2.9.3
purl pkg:pypi/apache-airflow@2.9.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-56eq-awhd-d3fr
3
vulnerability VCID-5jyk-dgtu-zfhd
4
vulnerability VCID-91n6-evww-zybp
5
vulnerability VCID-dh4r-77xc-cbas
6
vulnerability VCID-djdy-z9r3-s3a2
7
vulnerability VCID-ej1r-mp6n-gudd
8
vulnerability VCID-mcbu-b45m-k3ck
9
vulnerability VCID-pu6f-xhvm-q3du
10
vulnerability VCID-t3ap-dzfp-1bd6
11
vulnerability VCID-u5wv-47m4-8yd6
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.3
aliases CVE-2024-39863, GHSA-j482-47xf-p25c, PYSEC-2024-189
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ydhm-m8vh-mber
Fixing_vulnerabilities
0
url VCID-4ga6-4111-dyc9
vulnerability_id VCID-4ga6-4111-dyc9
summary Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/8d76538d6e105947272b000581c6fabec20146b1
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/8d76538d6e105947272b000581c6fabec20146b1
2
reference_url https://github.com/apache/airflow/pull/36257
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/pull/36257
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-14.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-14.yaml
4
reference_url https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h
5
reference_url http://www.openwall.com/lists/oss-security/2024/01/24/5
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2024/01/24/5
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-50944
reference_id CVE-2023-50944
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-50944
7
reference_url https://github.com/advisories/GHSA-vm5m-qmrx-fw8w
reference_id GHSA-vm5m-qmrx-fw8w
reference_type
scores
url https://github.com/advisories/GHSA-vm5m-qmrx-fw8w
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.1rc1
purl pkg:pypi/apache-airflow@2.8.1rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-4ga6-4111-dyc9
3
vulnerability VCID-56eq-awhd-d3fr
4
vulnerability VCID-5jyk-dgtu-zfhd
5
vulnerability VCID-6vg9-hu9u-q7c3
6
vulnerability VCID-835a-arqz-g7h7
7
vulnerability VCID-91n6-evww-zybp
8
vulnerability VCID-a64u-53x6-dfge
9
vulnerability VCID-amac-hqnj-xfgz
10
vulnerability VCID-dh4r-77xc-cbas
11
vulnerability VCID-djdy-z9r3-s3a2
12
vulnerability VCID-e5dn-tpzy-qqec
13
vulnerability VCID-ej1r-mp6n-gudd
14
vulnerability VCID-mcbu-b45m-k3ck
15
vulnerability VCID-pu6f-xhvm-q3du
16
vulnerability VCID-t3ap-dzfp-1bd6
17
vulnerability VCID-u5wv-47m4-8yd6
18
vulnerability VCID-x9ns-34nt-gfer
19
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1rc1
1
url pkg:pypi/apache-airflow@2.8.1
purl pkg:pypi/apache-airflow@2.8.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-56eq-awhd-d3fr
3
vulnerability VCID-5jyk-dgtu-zfhd
4
vulnerability VCID-6vg9-hu9u-q7c3
5
vulnerability VCID-835a-arqz-g7h7
6
vulnerability VCID-91n6-evww-zybp
7
vulnerability VCID-a64u-53x6-dfge
8
vulnerability VCID-dh4r-77xc-cbas
9
vulnerability VCID-djdy-z9r3-s3a2
10
vulnerability VCID-e5dn-tpzy-qqec
11
vulnerability VCID-ej1r-mp6n-gudd
12
vulnerability VCID-mcbu-b45m-k3ck
13
vulnerability VCID-pu6f-xhvm-q3du
14
vulnerability VCID-t3ap-dzfp-1bd6
15
vulnerability VCID-u5wv-47m4-8yd6
16
vulnerability VCID-x9ns-34nt-gfer
17
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1
aliases CVE-2023-50944, GHSA-vm5m-qmrx-fw8w, PYSEC-2024-14
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4ga6-4111-dyc9
1
url VCID-amac-hqnj-xfgz
vulnerability_id VCID-amac-hqnj-xfgz
summary Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/commit/2c4c5bc604e9ab0cc1e98f7bee7d31d566579462
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/commit/2c4c5bc604e9ab0cc1e98f7bee7d31d566579462
2
reference_url https://github.com/apache/airflow/pull/36255
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/pull/36255
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-13.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-13.yaml
4
reference_url https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn
5
reference_url http://www.openwall.com/lists/oss-security/2024/01/24/4
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2024/01/24/4
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-50943
reference_id CVE-2023-50943
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-50943
7
reference_url https://github.com/advisories/GHSA-c3c6-f2ww-xfr2
reference_id GHSA-c3c6-f2ww-xfr2
reference_type
scores
url https://github.com/advisories/GHSA-c3c6-f2ww-xfr2
fixed_packages
0
url pkg:pypi/apache-airflow@2.8.1rc1
purl pkg:pypi/apache-airflow@2.8.1rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-4ga6-4111-dyc9
3
vulnerability VCID-56eq-awhd-d3fr
4
vulnerability VCID-5jyk-dgtu-zfhd
5
vulnerability VCID-6vg9-hu9u-q7c3
6
vulnerability VCID-835a-arqz-g7h7
7
vulnerability VCID-91n6-evww-zybp
8
vulnerability VCID-a64u-53x6-dfge
9
vulnerability VCID-amac-hqnj-xfgz
10
vulnerability VCID-dh4r-77xc-cbas
11
vulnerability VCID-djdy-z9r3-s3a2
12
vulnerability VCID-e5dn-tpzy-qqec
13
vulnerability VCID-ej1r-mp6n-gudd
14
vulnerability VCID-mcbu-b45m-k3ck
15
vulnerability VCID-pu6f-xhvm-q3du
16
vulnerability VCID-t3ap-dzfp-1bd6
17
vulnerability VCID-u5wv-47m4-8yd6
18
vulnerability VCID-x9ns-34nt-gfer
19
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1rc1
1
url pkg:pypi/apache-airflow@2.8.1
purl pkg:pypi/apache-airflow@2.8.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w96-f72k-ryap
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-56eq-awhd-d3fr
3
vulnerability VCID-5jyk-dgtu-zfhd
4
vulnerability VCID-6vg9-hu9u-q7c3
5
vulnerability VCID-835a-arqz-g7h7
6
vulnerability VCID-91n6-evww-zybp
7
vulnerability VCID-a64u-53x6-dfge
8
vulnerability VCID-dh4r-77xc-cbas
9
vulnerability VCID-djdy-z9r3-s3a2
10
vulnerability VCID-e5dn-tpzy-qqec
11
vulnerability VCID-ej1r-mp6n-gudd
12
vulnerability VCID-mcbu-b45m-k3ck
13
vulnerability VCID-pu6f-xhvm-q3du
14
vulnerability VCID-t3ap-dzfp-1bd6
15
vulnerability VCID-u5wv-47m4-8yd6
16
vulnerability VCID-x9ns-34nt-gfer
17
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1
aliases CVE-2023-50943, GHSA-c3c6-f2ww-xfr2, PYSEC-2024-13
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-amac-hqnj-xfgz
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1rc1