| 0 |
| url |
VCID-2xr2-w3hk-auck |
| vulnerability_id |
VCID-2xr2-w3hk-auck |
| summary |
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.
Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-25917, PYSEC-2026-13
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2xr2-w3hk-auck |
|
| 1 |
| url |
VCID-56eq-awhd-d3fr |
| vulnerability_id |
VCID-56eq-awhd-d3fr |
| summary |
Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author.
Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-45034, PYSEC-2024-212
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-56eq-awhd-d3fr |
|
| 2 |
| url |
VCID-6vg9-hu9u-q7c3 |
| vulnerability_id |
VCID-6vg9-hu9u-q7c3 |
| summary |
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.
Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-27906, GHSA-6v6w-h8m6-7mv2, PYSEC-2024-245
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6vg9-hu9u-q7c3 |
|
| 3 |
| url |
VCID-835a-arqz-g7h7 |
| vulnerability_id |
VCID-835a-arqz-g7h7 |
| summary |
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.
Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-26280, GHSA-6xwf-xvf3-v459, PYSEC-2024-42
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-835a-arqz-g7h7 |
|
| 4 |
| url |
VCID-91n6-evww-zybp |
| vulnerability_id |
VCID-91n6-evww-zybp |
| summary |
In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-30912, PYSEC-2026-18
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-91n6-evww-zybp |
|
| 5 |
| url |
VCID-a64u-53x6-dfge |
| vulnerability_id |
VCID-a64u-53x6-dfge |
| summary |
Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-39877, PYSEC-2024-190
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a64u-53x6-dfge |
|
| 6 |
| url |
VCID-dh4r-77xc-cbas |
| vulnerability_id |
VCID-dh4r-77xc-cbas |
| summary |
Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider.
This issue affects Apache Airflow Sqoop Provider versions before 3.1.1. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/apache-airflow@3.1.1 |
| purl |
pkg:pypi/apache-airflow@3.1.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2b14-1bp2-gua6 |
|
| 1 |
| vulnerability |
VCID-2xr2-w3hk-auck |
|
| 2 |
| vulnerability |
VCID-5hxx-r2d2-9ybk |
|
| 3 |
| vulnerability |
VCID-91n6-evww-zybp |
|
| 4 |
| vulnerability |
VCID-9j1n-cypf-p7g5 |
|
| 5 |
| vulnerability |
VCID-etmw-7eq5-mqa2 |
|
| 6 |
| vulnerability |
VCID-ezmu-8g1y-e3hz |
|
| 7 |
| vulnerability |
VCID-geg4-1kgh-akde |
|
| 8 |
| vulnerability |
VCID-hkwf-65vr-dkfz |
|
| 9 |
| vulnerability |
VCID-knrd-atwy-gubn |
|
| 10 |
| vulnerability |
VCID-snqz-3f8t-syhd |
|
| 11 |
| vulnerability |
VCID-t3ap-dzfp-1bd6 |
|
| 12 |
| vulnerability |
VCID-tbb9-myv7-a7h4 |
|
| 13 |
| vulnerability |
VCID-w56f-fmkf-dkfv |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.1 |
|
|
| aliases |
CVE-2023-25693, GHSA-j69x-v4wc-3fpf, PYSEC-2023-314
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dh4r-77xc-cbas |
|
| 7 |
| url |
VCID-e5dn-tpzy-qqec |
| vulnerability_id |
VCID-e5dn-tpzy-qqec |
| summary |
Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access.
Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-28746, GHSA-h574-6646-vfxx, PYSEC-2024-46
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e5dn-tpzy-qqec |
|
| 8 |
| url |
VCID-mcbu-b45m-k3ck |
| vulnerability_id |
VCID-mcbu-b45m-k3ck |
| summary |
Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link.
Users should upgrade to 2.10.0 or later, which fixes this vulnerability. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-41937, PYSEC-2024-181
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mcbu-b45m-k3ck |
|
| 9 |
| url |
VCID-t3ap-dzfp-1bd6 |
| vulnerability_id |
VCID-t3ap-dzfp-1bd6 |
| summary |
In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed.
Users are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-68675, GHSA-7c2f-r6gc-h92h, PYSEC-2026-10
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t3ap-dzfp-1bd6 |
|
| 10 |
| url |
VCID-u5wv-47m4-8yd6 |
| vulnerability_id |
VCID-u5wv-47m4-8yd6 |
| summary |
Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-45784, PYSEC-2024-182
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u5wv-47m4-8yd6 |
|
| 11 |
| url |
VCID-x9ns-34nt-gfer |
| vulnerability_id |
VCID-x9ns-34nt-gfer |
| summary |
Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow.
Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser.
This issue affects Apache Airflow: before 2.9.2.
Users are recommended to upgrade to version 2.9.2, which fixes the issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-25142, PYSEC-2024-195
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x9ns-34nt-gfer |
|
| 12 |
| url |
VCID-ydhm-m8vh-mber |
| vulnerability_id |
VCID-ydhm-m8vh-mber |
| summary |
Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-39863, PYSEC-2024-189
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ydhm-m8vh-mber |
|