Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/apache-airflow@3.1.5rc1
Typepypi
Namespace
Nameapache-airflow
Version3.1.5rc1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.2.0
Latest_non_vulnerable_version3.2.1rc1
Affected_by_vulnerabilities
0
url VCID-4fjp-pn9s-tyhz
vulnerability_id VCID-4fjp-pn9s-tyhz
summary 
In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display.

Users are recommended to upgrade to 3.1.6 or later, which fixes this issue
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-68438
reference_id
reference_type
scores
0
value 0.00025
scoring_system epss
scoring_elements 0.07657
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-68438
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
2
reference_url https://lists.apache.org/thread/55n7b4nlsz3vo5n4h5lrj9bfsk8ctyff
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-16T16:09:05Z/
url https://lists.apache.org/thread/55n7b4nlsz3vo5n4h5lrj9bfsk8ctyff
3
reference_url http://www.openwall.com/lists/oss-security/2026/01/15/5
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/01/15/5
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-68438
reference_id CVE-2025-68438
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-68438
5
reference_url https://github.com/advisories/GHSA-3qmm-r55x-hpxx
reference_id GHSA-3qmm-r55x-hpxx
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3qmm-r55x-hpxx
fixed_packages
0
url pkg:pypi/apache-airflow@3.1.6
purl pkg:pypi/apache-airflow@3.1.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9x6r-5m59-yyap
1
vulnerability VCID-bv7f-s53t-uqe4
2
vulnerability VCID-g8pv-cam5-d7dj
3
vulnerability VCID-j6uh-kx6m-sydp
4
vulnerability VCID-kmz1-dm9f-d7hj
5
vulnerability VCID-m3ff-jty5-3uhw
6
vulnerability VCID-nrc9-bdc2-dfes
7
vulnerability VCID-pvh4-3wng-ekdq
8
vulnerability VCID-tj2m-5j3f-5ueq
9
vulnerability VCID-tpjn-4kru-vucv
10
vulnerability VCID-vwv4-7y7y-9fcj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.6
aliases BIT-airflow-2025-68438, CVE-2025-68438, GHSA-3qmm-r55x-hpxx, PYSEC-2026-9
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4fjp-pn9s-tyhz
1
url VCID-9x6r-5m59-yyap
vulnerability_id VCID-9x6r-5m59-yyap
summary 
Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enough, even though Airflow's intentions and security model of Airflow did not suggest different assumptions. The overall security model [1], workload isolation [2], and JWT authentication details [3] are now described in more detail. Users concerned with role isolation and following the Airflow security model of Airflow are advised to upgrade to Airflow 3.2, where several security improvements have been implemented. They should also read and follow the relevant documents to make sure that their deployment is secure enough. It also clarifies that the Deployment Manager is ultimately responsible for securing your Airflow deployment. This had also been communicated via Airflow 3.2.0 Blog announcement [4].

[1] Security Model:  https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html 
[2] Workload isolation:  https://airflow.apache.org/docs/apache-airflow/stable/security/workload.html 
[3] JWT Token authentication:  https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html 
[4] Airflow 3.2.0 Blog announcement:  https://airflow.apache.org/blog/airflow-3.2.0/ 



Users are recommended to upgrade to version 3.2.0, which fixes this issue.
references
0
reference_url https://airflow.apache.org/blog/airflow-3.2.0
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://airflow.apache.org/blog/airflow-3.2.0
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-66236
reference_id
reference_type
scores
0
value 0.00119
scoring_system epss
scoring_elements 0.30487
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-66236
2
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
3
reference_url https://github.com/apache/airflow/pull/58662
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T19:20:26Z/
url https://github.com/apache/airflow/pull/58662
4
reference_url https://lists.apache.org/thread/g8fyy1tkmxkkfk7tx2v6h8mvwzpyykbo
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T19:20:26Z/
url https://lists.apache.org/thread/g8fyy1tkmxkkfk7tx2v6h8mvwzpyykbo
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-66236
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-66236
6
reference_url http://www.openwall.com/lists/oss-security/2026/04/13/6
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/04/13/6
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.0
purl pkg:pypi/apache-airflow@3.2.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0
aliases BIT-airflow-2025-66236, CVE-2025-66236, GHSA-j86x-fwp2-qh7v, PYSEC-2026-8
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9x6r-5m59-yyap
2
url VCID-bv7f-s53t-uqe4
vulnerability_id VCID-bv7f-s53t-uqe4
summary 
Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with the security model documentation that defines the Viewer role as read-only.

Airflow uses the FAB Auth Manager to manage access control on a per-resource basis. The Viewer role is intended to be read-only by default, and the security model documentation defines Viewer users as those who can inspect DAGs without accessing sensitive execution results.

Users are recommended to upgrade to Apache Airflow 3.2.0 which resolves this issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34538
reference_id
reference_type
scores
0
value 0.00018
scoring_system epss
scoring_elements 0.052
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34538
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/pull/64415
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:05:44Z/
url https://github.com/apache/airflow/pull/64415
3
reference_url https://github.com/apache/airflow/releases/tag/3.2.0
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow/releases/tag/3.2.0
4
reference_url https://lists.apache.org/thread/9mq3msqhmgjwdzbr6bgthj4brb3oz9fl
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:05:44Z/
url https://lists.apache.org/thread/9mq3msqhmgjwdzbr6bgthj4brb3oz9fl
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34538
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34538
6
reference_url http://www.openwall.com/lists/oss-security/2026/04/09/9
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/04/09/9
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.0
purl pkg:pypi/apache-airflow@3.2.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0
aliases BIT-airflow-2026-34538, CVE-2026-34538, GHSA-r7vr-m4jw-r794, PYSEC-2026-21
risk_score 3.0
exploitability 0.5
weighted_severity 5.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bv7f-s53t-uqe4
3
url VCID-g8pv-cam5-d7dj
vulnerability_id VCID-g8pv-cam5-d7dj
summary 
Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regardless of the configured [webserver] base_url or [api] base_url.
This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, allowing full session takeover without attacking Airflow itself.

Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28779
reference_id
reference_type
scores
0
value 0.00031
scoring_system epss
scoring_elements 0.09334
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28779
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/pull/62771
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-17T13:44:27Z/
url https://github.com/apache/airflow/pull/62771
3
reference_url https://lists.apache.org/thread/r4n5znb8mcq14wo9v8ndml36nxlksdqb
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-17T13:44:27Z/
url https://lists.apache.org/thread/r4n5znb8mcq14wo9v8ndml36nxlksdqb
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28779
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28779
5
reference_url http://www.openwall.com/lists/oss-security/2026/03/17/3
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/03/17/3
fixed_packages
0
url pkg:pypi/apache-airflow@3.1.8
purl pkg:pypi/apache-airflow@3.1.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4wyy-4bw7-qubg
1
vulnerability VCID-9x6r-5m59-yyap
2
vulnerability VCID-bv7f-s53t-uqe4
3
vulnerability VCID-j6uh-kx6m-sydp
4
vulnerability VCID-pvh4-3wng-ekdq
5
vulnerability VCID-tpjn-4kru-vucv
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.8
aliases BIT-airflow-2026-28779, CVE-2026-28779, GHSA-4fhm-p86v-hwpx, PYSEC-2026-16
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g8pv-cam5-d7dj
4
url VCID-j6uh-kx6m-sydp
vulnerability_id VCID-j6uh-kx6m-sydp
summary 
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.

Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25917
reference_id
reference_type
scores
0
value 0.00051
scoring_system epss
scoring_elements 0.16117
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25917
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/pull/61641
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-22T03:55:40Z/
url https://github.com/apache/airflow/pull/61641
3
reference_url https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwlv4hq3po
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-22T03:55:40Z/
url https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwlv4hq3po
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25917
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25917
5
reference_url http://www.openwall.com/lists/oss-security/2026/04/17/9
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/04/17/9
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.0
purl pkg:pypi/apache-airflow@3.2.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0
aliases BIT-airflow-2026-25917, CVE-2026-25917, GHSA-6ffj-2wg2-w45j, PYSEC-2026-13
risk_score 3.2
exploitability 0.5
weighted_severity 6.5
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-j6uh-kx6m-sydp
5
url VCID-kmz1-dm9f-d7hj
vulnerability_id VCID-kmz1-dm9f-d7hj
summary 
Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance.


Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-30911
reference_id
reference_type
scores
0
value 0.00043
scoring_system epss
scoring_elements 0.13548
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-30911
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/pull/62886
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T13:41:43Z/
url https://github.com/apache/airflow/pull/62886
3
reference_url https://lists.apache.org/thread/1rs2v7fcko2otl6n9ytthcj87cmsgx51
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T13:41:43Z/
url https://lists.apache.org/thread/1rs2v7fcko2otl6n9ytthcj87cmsgx51
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-30911
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-30911
5
reference_url http://www.openwall.com/lists/oss-security/2026/03/17/2
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/03/17/2
fixed_packages
0
url pkg:pypi/apache-airflow@3.1.8
purl pkg:pypi/apache-airflow@3.1.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4wyy-4bw7-qubg
1
vulnerability VCID-9x6r-5m59-yyap
2
vulnerability VCID-bv7f-s53t-uqe4
3
vulnerability VCID-j6uh-kx6m-sydp
4
vulnerability VCID-pvh4-3wng-ekdq
5
vulnerability VCID-tpjn-4kru-vucv
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.8
aliases BIT-airflow-2026-30911, CVE-2026-30911, GHSA-8x34-9q3v-h7g8, PYSEC-2026-17
risk_score 3.6
exploitability 0.5
weighted_severity 7.3
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kmz1-dm9f-d7hj
6
url VCID-m3ff-jty5-3uhw
vulnerability_id VCID-m3ff-jty5-3uhw
summary 
Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to "~" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned.


Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-26929
reference_id
reference_type
scores
0
value 0.00054
scoring_system epss
scoring_elements 0.17271
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-26929
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/pull/61675
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:40:34Z/
url https://github.com/apache/airflow/pull/61675
3
reference_url https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:40:34Z/
url https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-26929
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-26929
5
reference_url http://www.openwall.com/lists/oss-security/2026/03/17/4
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/03/17/4
fixed_packages
0
url pkg:pypi/apache-airflow@3.1.8
purl pkg:pypi/apache-airflow@3.1.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4wyy-4bw7-qubg
1
vulnerability VCID-9x6r-5m59-yyap
2
vulnerability VCID-bv7f-s53t-uqe4
3
vulnerability VCID-j6uh-kx6m-sydp
4
vulnerability VCID-pvh4-3wng-ekdq
5
vulnerability VCID-tpjn-4kru-vucv
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.8
aliases BIT-airflow-2026-26929, CVE-2026-26929, GHSA-4m3h-wp5w-5hqh, PYSEC-2026-14
risk_score 3.0
exploitability 0.5
weighted_severity 5.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-m3ff-jty5-3uhw
7
url VCID-nrc9-bdc2-dfes
vulnerability_id VCID-nrc9-bdc2-dfes
summary 
Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view.


Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28563
reference_id
reference_type
scores
0
value 0.00036
scoring_system epss
scoring_elements 0.11189
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28563
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/pull/62046
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:41:12Z/
url https://github.com/apache/airflow/pull/62046
3
reference_url https://lists.apache.org/thread/dwzf62qg9z8wvfsjknpfd8bvtwghd49s
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:41:12Z/
url https://lists.apache.org/thread/dwzf62qg9z8wvfsjknpfd8bvtwghd49s
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28563
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28563
5
reference_url http://www.openwall.com/lists/oss-security/2026/03/17/5
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/03/17/5
fixed_packages
0
url pkg:pypi/apache-airflow@3.1.8
purl pkg:pypi/apache-airflow@3.1.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4wyy-4bw7-qubg
1
vulnerability VCID-9x6r-5m59-yyap
2
vulnerability VCID-bv7f-s53t-uqe4
3
vulnerability VCID-j6uh-kx6m-sydp
4
vulnerability VCID-pvh4-3wng-ekdq
5
vulnerability VCID-tpjn-4kru-vucv
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.8
aliases BIT-airflow-2026-28563, CVE-2026-28563, GHSA-x3fv-96qh-67m7, PYSEC-2026-15
risk_score 1.9
exploitability 0.5
weighted_severity 3.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nrc9-bdc2-dfes
8
url VCID-pvh4-3wng-ekdq
vulnerability_id VCID-pvh4-3wng-ekdq
summary 
Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked.

If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32690
reference_id
reference_type
scores
0
value 0.00112
scoring_system epss
scoring_elements 0.29371
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32690
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/pull/63480
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T16:11:00Z/
url https://github.com/apache/airflow/pull/63480
3
reference_url https://lists.apache.org/thread/7rnzxofntcznqxnhsmjvvlvygwph7rn5
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T16:11:00Z/
url https://lists.apache.org/thread/7rnzxofntcznqxnhsmjvvlvygwph7rn5
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32690
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32690
5
reference_url http://www.openwall.com/lists/oss-security/2026/04/17/6
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/04/17/6
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.0
purl pkg:pypi/apache-airflow@3.2.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0
aliases BIT-airflow-2026-32690, CVE-2026-32690, GHSA-w9r4-94fj-xp69, PYSEC-2026-19
risk_score 1.6
exploitability 0.5
weighted_severity 3.3
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pvh4-3wng-ekdq
9
url VCID-tj2m-5j3f-5ueq
vulnerability_id VCID-tj2m-5j3f-5ueq
summary 
Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access. 

Users are recommended to upgrade to Apache Airflow 3.1.7 or later, which resolves this issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-22922
reference_id
reference_type
scores
0
value 0.00037
scoring_system epss
scoring_elements 0.11432
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-22922
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/pull/60412
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-09T16:31:30Z/
url https://github.com/apache/airflow/pull/60412
3
reference_url https://lists.apache.org/thread/gdb7vffhpmrj5hp1j0oj1j13o4vmsq40
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-09T16:31:30Z/
url https://lists.apache.org/thread/gdb7vffhpmrj5hp1j0oj1j13o4vmsq40
4
reference_url http://www.openwall.com/lists/oss-security/2026/02/09/2
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url http://www.openwall.com/lists/oss-security/2026/02/09/2
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-22922
reference_id CVE-2026-22922
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-22922
6
reference_url https://github.com/advisories/GHSA-pm44-x5x7-24c4
reference_id GHSA-pm44-x5x7-24c4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-pm44-x5x7-24c4
fixed_packages
0
url pkg:pypi/apache-airflow@3.1.7
purl pkg:pypi/apache-airflow@3.1.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9x6r-5m59-yyap
1
vulnerability VCID-bv7f-s53t-uqe4
2
vulnerability VCID-g8pv-cam5-d7dj
3
vulnerability VCID-j6uh-kx6m-sydp
4
vulnerability VCID-kmz1-dm9f-d7hj
5
vulnerability VCID-m3ff-jty5-3uhw
6
vulnerability VCID-nrc9-bdc2-dfes
7
vulnerability VCID-pvh4-3wng-ekdq
8
vulnerability VCID-tpjn-4kru-vucv
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.7
aliases BIT-airflow-2026-22922, CVE-2026-22922, GHSA-pm44-x5x7-24c4, PYSEC-2026-11
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tj2m-5j3f-5ueq
10
url VCID-tpjn-4kru-vucv
vulnerability_id VCID-tpjn-4kru-vucv
summary In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-30912
reference_id
reference_type
scores
0
value 0.00095
scoring_system epss
scoring_elements 0.26413
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-30912
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/pull/63028
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-20T15:56:44Z/
url https://github.com/apache/airflow/pull/63028
3
reference_url https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5x80w8r9
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-20T15:56:44Z/
url https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5x80w8r9
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-30912
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-30912
5
reference_url http://www.openwall.com/lists/oss-security/2026/04/17/5
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/04/17/5
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.0
purl pkg:pypi/apache-airflow@3.2.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0
aliases BIT-airflow-2026-30912, CVE-2026-30912, GHSA-w7cf-2pmc-5m4c, PYSEC-2026-18
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tpjn-4kru-vucv
11
url VCID-vras-f42j-xqfg
vulnerability_id VCID-vras-f42j-xqfg
summary 
In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed.

Users are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-68675
reference_id
reference_type
scores
0
value 0.00035
scoring_system epss
scoring_elements 0.10793
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-68675
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/pull/59688
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-16T16:05:54Z/
url https://github.com/apache/airflow/pull/59688
3
reference_url https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-16T16:05:54Z/
url https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5
4
reference_url http://www.openwall.com/lists/oss-security/2026/01/15/6
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/01/15/6
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-68675
reference_id CVE-2025-68675
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-68675
6
reference_url https://github.com/advisories/GHSA-7c2f-r6gc-h92h
reference_id GHSA-7c2f-r6gc-h92h
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7c2f-r6gc-h92h
fixed_packages
0
url pkg:pypi/apache-airflow@3.1.6
purl pkg:pypi/apache-airflow@3.1.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9x6r-5m59-yyap
1
vulnerability VCID-bv7f-s53t-uqe4
2
vulnerability VCID-g8pv-cam5-d7dj
3
vulnerability VCID-j6uh-kx6m-sydp
4
vulnerability VCID-kmz1-dm9f-d7hj
5
vulnerability VCID-m3ff-jty5-3uhw
6
vulnerability VCID-nrc9-bdc2-dfes
7
vulnerability VCID-pvh4-3wng-ekdq
8
vulnerability VCID-tj2m-5j3f-5ueq
9
vulnerability VCID-tpjn-4kru-vucv
10
vulnerability VCID-vwv4-7y7y-9fcj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.6
aliases BIT-airflow-2025-68675, CVE-2025-68675, GHSA-7c2f-r6gc-h92h, PYSEC-2026-10
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vras-f42j-xqfg
12
url VCID-vwv4-7y7y-9fcj
vulnerability_id VCID-vwv4-7y7y-9fcj
summary 
Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. 

Users are advised to upgrade to 3.1.7 or later, which resolves this issue
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-24098
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02721
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-24098
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/pull/60801
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:28:52Z/
url https://github.com/apache/airflow/pull/60801
3
reference_url https://lists.apache.org/thread/nx96435v77xdst7ls5lk57kqvqyj095x
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:28:52Z/
url https://lists.apache.org/thread/nx96435v77xdst7ls5lk57kqvqyj095x
4
reference_url http://www.openwall.com/lists/oss-security/2026/02/09/3
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/02/09/3
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-24098
reference_id CVE-2026-24098
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-24098
6
reference_url https://github.com/advisories/GHSA-5g2w-9f8g-g5q7
reference_id GHSA-5g2w-9f8g-g5q7
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5g2w-9f8g-g5q7
fixed_packages
0
url pkg:pypi/apache-airflow@3.1.7
purl pkg:pypi/apache-airflow@3.1.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9x6r-5m59-yyap
1
vulnerability VCID-bv7f-s53t-uqe4
2
vulnerability VCID-g8pv-cam5-d7dj
3
vulnerability VCID-j6uh-kx6m-sydp
4
vulnerability VCID-kmz1-dm9f-d7hj
5
vulnerability VCID-m3ff-jty5-3uhw
6
vulnerability VCID-nrc9-bdc2-dfes
7
vulnerability VCID-pvh4-3wng-ekdq
8
vulnerability VCID-tpjn-4kru-vucv
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.7
aliases BIT-airflow-2026-24098, CVE-2026-24098, GHSA-5g2w-9f8g-g5q7, PYSEC-2026-12
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vwv4-7y7y-9fcj
Fixing_vulnerabilities
0
url VCID-huhh-68py-hbe2
vulnerability_id VCID-huhh-68py-hbe2
summary 
Apache Airflow error reporting may expose full kwargs
When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG.

The issue has been fixed in Airflow 3.1.5rc1 and 2.11.1, and users are strongly advised to upgrade to prevent potential disclosure of sensitive information.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-65995
reference_id
reference_type
scores
0
value 0.00016
scoring_system epss
scoring_elements 0.03676
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-65995
1
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/airflow
2
reference_url https://github.com/apache/airflow/pull/58252
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-23T15:47:06Z/
url https://github.com/apache/airflow/pull/58252
3
reference_url https://github.com/apache/airflow/pull/61883
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-23T15:47:06Z/
url https://github.com/apache/airflow/pull/61883
4
reference_url https://lists.apache.org/thread/1qzlrjo2wmlzs0rrgzgslj2pzkor0dr2
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-23T15:47:06Z/
url https://lists.apache.org/thread/1qzlrjo2wmlzs0rrgzgslj2pzkor0dr2
5
reference_url http://www.openwall.com/lists/oss-security/2025/12/12/2
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2025/12/12/2
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-65995
reference_id CVE-2025-65995
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-65995
7
reference_url https://github.com/advisories/GHSA-gfw7-2v73-69wg
reference_id GHSA-gfw7-2v73-69wg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gfw7-2v73-69wg
fixed_packages
0
url pkg:pypi/apache-airflow@2.11.1
purl pkg:pypi/apache-airflow@2.11.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1azm-hsvr-f3e8
1
vulnerability VCID-j6uh-kx6m-sydp
2
vulnerability VCID-tpjn-4kru-vucv
3
vulnerability VCID-vras-f42j-xqfg
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.11.1
1
url pkg:pypi/apache-airflow@3.1.5rc1
purl pkg:pypi/apache-airflow@3.1.5rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4fjp-pn9s-tyhz
1
vulnerability VCID-9x6r-5m59-yyap
2
vulnerability VCID-bv7f-s53t-uqe4
3
vulnerability VCID-g8pv-cam5-d7dj
4
vulnerability VCID-j6uh-kx6m-sydp
5
vulnerability VCID-kmz1-dm9f-d7hj
6
vulnerability VCID-m3ff-jty5-3uhw
7
vulnerability VCID-nrc9-bdc2-dfes
8
vulnerability VCID-pvh4-3wng-ekdq
9
vulnerability VCID-tj2m-5j3f-5ueq
10
vulnerability VCID-tpjn-4kru-vucv
11
vulnerability VCID-vras-f42j-xqfg
12
vulnerability VCID-vwv4-7y7y-9fcj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.5rc1
aliases CVE-2025-65995, GHSA-gfw7-2v73-69wg
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-huhh-68py-hbe2
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.5rc1