VulnerableCode Package Details - pkg:pypi/apache-airflow-core@3.0.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-ap8j-6689-kfgd Aliases: BIT-airflow-2026-32690 CVE-2026-32690 GHSA-w9r4-94fj-xp69 PYSEC-2026-19	Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented	3.2.0 Affected by 0 other vulnerabilities.
VCID-n2en-fjg3-nfh4 Aliases: CVE-2026-32228 GHSA-h97w-pm3w-mwmc	UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.	3.2.0 Affected by 0 other vulnerabilities.
VCID-ttb5-juj4-uugt Aliases: BIT-airflow-2026-30912 CVE-2026-30912 GHSA-w7cf-2pmc-5m4c PYSEC-2026-18	In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.	3.2.0 Affected by 0 other vulnerabilities.
VCID-vnaq-tba8-ykag Aliases: BIT-airflow-2026-25917 CVE-2026-25917 GHSA-6ffj-2wg2-w45j PYSEC-2026-13	Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.	3.2.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-ap8j-6689-kfgd
Aliases:
BIT-airflow-2026-32690
CVE-2026-32690
GHSA-w9r4-94fj-xp69
PYSEC-2026-19

Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented

3.2.0
Affected by 0 other vulnerabilities.

VCID-n2en-fjg3-nfh4
Aliases:
CVE-2026-32228
GHSA-h97w-pm3w-mwmc

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.

3.2.0
Affected by 0 other vulnerabilities.

VCID-ttb5-juj4-uugt
Aliases:
BIT-airflow-2026-30912
CVE-2026-30912
GHSA-w7cf-2pmc-5m4c
PYSEC-2026-18

In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.

3.2.0
Affected by 0 other vulnerabilities.

VCID-vnaq-tba8-ykag
Aliases:
BIT-airflow-2026-25917
CVE-2026-25917
GHSA-6ffj-2wg2-w45j
PYSEC-2026-13

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.

3.2.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T10:47:16.439961+00:00	GHSA Importer	Affected by	VCID-ap8j-6689-kfgd	https://github.com/advisories/GHSA-w9r4-94fj-xp69	38.6.0
2026-06-12T22:11:04.536914+00:00	GitLab Importer	Affected by	VCID-vnaq-tba8-ykag	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/apache-airflow-core/CVE-2026-25917.yml	38.6.0
2026-06-12T22:11:00.221886+00:00	GitLab Importer	Affected by	VCID-ap8j-6689-kfgd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/apache-airflow-core/CVE-2026-32690.yml	38.6.0
2026-06-12T22:10:59.917574+00:00	GitLab Importer	Affected by	VCID-ttb5-juj4-uugt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/apache-airflow-core/CVE-2026-30912.yml	38.6.0
2026-06-12T22:10:52.418210+00:00	GitLab Importer	Affected by	VCID-n2en-fjg3-nfh4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/apache-airflow-core/CVE-2026-32228.yml	38.6.0