Search for packages
| purl | pkg:pypi/apache-airflow@2.0.0rc3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1963-1kyn-2ban
Aliases: BIT-airflow-2023-47037 CVE-2023-47037 GHSA-hm9r-7f84-25c9 PYSEC-2023-232 |
We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.3 or later which has removed the vulnerability. |
Affected by 29 other vulnerabilities. |
|
VCID-1azm-hsvr-f3e8
Aliases: CVE-2023-25693 GHSA-j69x-v4wc-3fpf PYSEC-2023-314 |
Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider. This issue affects Apache Airflow Sqoop Provider versions before 3.1.1. |
Affected by 21 other vulnerabilities. |
|
VCID-1ptn-xvsy-d3hu
Aliases: BIT-airflow-2023-36543 CVE-2023-36543 GHSA-3h4m-m55v-gx4m PYSEC-2023-106 |
Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected |
Affected by 39 other vulnerabilities. |
|
VCID-2q7x-bua5-37h7
Aliases: BIT-airflow-2023-40273 CVE-2023-40273 GHSA-pm87-24wq-r8w9 PYSEC-2023-158 |
The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for database session backend), or changing the secure_key and restarting the webserver, there were no mechanisms to force-logout the user (and all other users with that). With this fix implemented, when using the database session backend, the existing sessions of the user are invalidated when the password of the user is reset. When using the securecookie session backend, the sessions are NOT invalidated and still require changing the secure key and restarting the webserver (and logging out all other users), but the user resetting the password is informed about it with a flash message warning displayed in the UI. Documentation is also updated explaining this behaviour. Users of Apache Airflow are advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. |
Affected by 39 other vulnerabilities. Affected by 38 other vulnerabilities. |
|
VCID-37nw-x186-puds
Aliases: BIT-airflow-2021-35936 CVE-2021-35936 GHSA-m6h2-jx9v-58w6 PYSEC-2021-122 |
If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow < 2.1.2. |
Affected by 63 other vulnerabilities. |
|
VCID-4693-xwwu-7uem
Aliases: BIT-airflow-2023-25695 CVE-2023-25695 GHSA-h6g5-wqqr-3mw3 PYSEC-2023-2 |
Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2. |
Affected by 49 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-4btd-59ga-1yd4
Aliases: BIT-airflow-2023-29247 CVE-2023-29247 GHSA-vcf6-3wv2-5vcr PYSEC-2023-60 |
Task instance details page in the UI is vulnerable to a stored XSS.This issue affects Apache Airflow: before 2.6.0. |
Affected by 46 other vulnerabilities. |
|
VCID-4u8d-ezsr-sqcz
Aliases: BIT-airflow-2023-50943 CVE-2023-50943 GHSA-c3c6-f2ww-xfr2 PYSEC-2024-13 |
Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue. |
Affected by 26 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-4vxd-p4yy-37f8
Aliases: CVE-2026-38743 GHSA-p3v3-229h-mc63 |
Affected by 0 other vulnerabilities. |
|
|
VCID-5n7u-et4v-vfb7
Aliases: CVE-2023-39441 GHSA-5f35-pq34-c87q |
Improper Certificate Validation Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate vulnerability. The default SSL context with SSL library does not check a server's X.509 certificate. Instead, the code accepted any certificate, which could result in the disclosure of mail server credentials or mail contents when the client connects to an attacker in a MITM position. Users are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer to mitigate the risk associated with this vulnerability |
Affected by 39 other vulnerabilities. |
|
VCID-5ph5-s3qc-guf4
Aliases: CVE-2023-39553 GHSA-mq4v-6vg4-796c PYSEC-2023-136 |
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider. Apache Airflow Drill Provider is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection with DrillHook giving an opportunity to read files on the Airflow server. This issue affects Apache Airflow Drill Provider: before 2.4.3. It is recommended to upgrade to a version that is not affected. |
Affected by 49 other vulnerabilities. |
|
VCID-5ppv-384x-ekeb
Aliases: CVE-2025-27555 GHSA-8r55-rv5w-6pfm |
Apache Airflow exposes sensitive information in its log files Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.11.1 or a later version, which addresses this issue. Users who previously used the CLI to set connections should manually delete entries with those connection sensitive values from the log table. This is similar but not the same issue as CVE-2024-50378 |
Affected by 9 other vulnerabilities. |
|
VCID-5ufe-1rrj-rkgp
Aliases: BIT-airflow-2022-27949 CVE-2022-27949 GHSA-fvw2-2pf7-77vw PYSEC-2022-42981 |
A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to 2.3.1. |
Affected by 58 other vulnerabilities. |
|
VCID-6hxm-nnhg-buex
Aliases: BIT-airflow-2022-24288 CVE-2022-24288 GHSA-3v7g-4pg3-7r6j PYSEC-2022-30 |
In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI. |
Affected by 60 other vulnerabilities. |
|
VCID-7xea-ge93-yuee
Aliases: CVE-2022-38649 GHSA-7wqf-h36w-47mc |
Affected by 59 other vulnerabilities. |
|
|
VCID-7z8j-8f4d-53dm
Aliases: BIT-airflow-2022-46651 CVE-2022-46651 GHSA-xvw9-3mhm-xjqq PYSEC-2023-103 |
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an unauthorized actor to gain access to sensitive information in Connection edit view. This vulnerability is considered low since it requires someone with access to Connection resources specifically updating the connection to exploit it. Users should upgrade to version 2.6.3 or later which has removed the vulnerability. |
Affected by 39 other vulnerabilities. |
|
VCID-82p8-yujf-hkdd
Aliases: BIT-airflow-2023-50944 CVE-2023-50944 GHSA-vm5m-qmrx-fw8w PYSEC-2024-14 |
Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue. |
Affected by 26 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-8htr-89h8-6fba
Aliases: CVE-2024-50378 GHSA-j857-2pwm-jjmm |
Affected by 13 other vulnerabilities. |
|
|
VCID-8m3p-yzr8-yyhj
Aliases: BIT-airflow-2024-41937 CVE-2024-41937 GHSA-w7cp-g8v7-r54m PYSEC-2024-181 |
Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability. |
Affected by 17 other vulnerabilities. |
|
VCID-8npr-rvfd-jkfj
Aliases: BIT-airflow-2023-40611 CVE-2023-40611 GHSA-wpg8-mf6h-gm92 PYSEC-2023-170 |
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.1 or later which has removed the vulnerability. |
Affected by 36 other vulnerabilities. |
|
VCID-8tgv-2cpd-xyh9
Aliases: CVE-2024-56373 GHSA-r837-hpv7-pc2f |
Apache Airflow vulnerable to Code Injection in the web-server context via LogTemplate table DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (server-side) as a result of a user viewing historical task information. The functionality responsible for that (log template history) has been disabled by default in 2.11.1 and users should upgrade to Airflow 3 if they want to continue to use log template history. They can also manually modify historical log file names if they want to see historical logs that were generated before the last log template change. |
Affected by 9 other vulnerabilities. |
|
VCID-8ykk-1kak-6bfd
Aliases: BIT-airflow-2023-42780 CVE-2023-42780 GHSA-cgx2-rrmr-jx43 PYSEC-2023-202 |
Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dag_ids and the stack-traces of import errors for those DAGs with import errors. Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability. |
Affected by 31 other vulnerabilities. |
|
VCID-9x6r-5m59-yyap
Aliases: BIT-airflow-2025-66236 CVE-2025-66236 GHSA-j86x-fwp2-qh7v PYSEC-2026-8 |
Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enough, even though Airflow's intentions and security model of Airflow did not suggest different assumptions. The overall security model [1], workload isolation [2], and JWT authentication details [3] are now described in more detail. Users concerned with role isolation and following the Airflow security model of Airflow are advised to upgrade to Airflow 3.2, where several security improvements have been implemented. They should also read and follow the relevant documents to make sure that their deployment is secure enough. It also clarifies that the Deployment Manager is ultimately responsible for securing your Airflow deployment. This had also been communicated via Airflow 3.2.0 Blog announcement [4]. [1] Security Model: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html [2] Workload isolation: https://airflow.apache.org/docs/apache-airflow/stable/security/workload.html [3] JWT Token authentication: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html [4] Airflow 3.2.0 Blog announcement: https://airflow.apache.org/blog/airflow-3.2.0/ Users are recommended to upgrade to version 3.2.0, which fixes this issue. |
Affected by 2 other vulnerabilities. |
|
VCID-ab9p-92n7-3kdb
Aliases: CVE-2026-25219 GHSA-4g48-54q2-fg7q |
Affected by 11 other vulnerabilities. |
|
|
VCID-arbk-dryb-qkda
Aliases: BIT-airflow-2024-26280 CVE-2024-26280 GHSA-6xwf-xvf3-v459 PYSEC-2024-42 |
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability |
Affected by 23 other vulnerabilities. |
|
VCID-bn9u-brjp-yudy
Aliases: CVE-2025-67895 GHSA-66h8-3g48-6hx8 PYSEC-2025-87 |
Edge3 Worker RPC RCE on Airflow 2. This issue affects Apache Airflow Providers Edge3: before 2.0.0 - and only if you installed and configured it on Airflow 2. The Edge3 provider support in Airflow 2 has been always development-only and not officially released, however if you installed and configured Edge3 provider in Airflow 2, it implicitly enabled non-public (normally) API which was used to test Edge Provider in Airflow 2 during the development. This API allowed Dag author to perform Remote Code Execution in the webserver context, which Dag Author was not supposed to be able to do. If you installed and configured Edge3 provider for Airflow 2, you should uninstall it and migrate to Airflow 3. The new Edge3 provider versions (>=2.0.0) has minimum version of Airflow set to 3 and the RCE-prone Airflow 2 code is removed, so it should no longer be possible to use the Edge3 provider 2.0.0+ on Airflow 2. If you used Edge Provider in Airflow 3, you are not affected. |
Affected by 68 other vulnerabilities. |
|
VCID-ctd9-hxfn-8fcs
Aliases: BIT-airflow-2022-41672 CVE-2022-41672 GHSA-3q8r-f3pj-3gc4 PYSEC-2022-42983 |
In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API. |
Affected by 54 other vulnerabilities. Affected by 53 other vulnerabilities. |
|
VCID-d3kc-fn21-xqar
Aliases: BIT-airflow-2023-22887 CVE-2023-22887 GHSA-ggwr-4vr8-g7wv PYSEC-2023-104 |
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected |
Affected by 39 other vulnerabilities. |
|
VCID-dk1y-938p-k3bv
Aliases: BIT-airflow-2023-22888 CVE-2023-22888 GHSA-5946-8p38-vffp PYSEC-2023-105 |
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected |
Affected by 39 other vulnerabilities. |
|
VCID-e19b-adrm-x7fu
Aliases: BIT-airflow-2022-45402 CVE-2022-45402 GHSA-rg94-84xj-7gq3 PYSEC-2022-42984 |
In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint. |
Affected by 49 other vulnerabilities. |
|
VCID-e41n-8a2f-53ay
Aliases: CVE-2023-22884 GHSA-c732-xvv8-g94c |
Command Injection in Apache Airflow and Apache Airflow MySQL Provider Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0. |
Affected by 49 other vulnerabilities. |
|
VCID-fctg-457f-4uae
Aliases: BIT-airflow-2023-42781 CVE-2023-42781 GHSA-r7x6-xfcm-3mxv PYSEC-2023-231 |
Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. This is a different issue than CVE-2023-42663 but leading to similar outcome. Users of Apache Airflow are advised to upgrade to version 2.7.3 or newer to mitigate the risk associated with this vulnerability. |
Affected by 29 other vulnerabilities. |
|
VCID-fnsx-gtgn-27dr
Aliases: BIT-airflow-2022-40127 CVE-2022-40127 GHSA-6pw3-8h9w-32gc PYSEC-2022-42982 |
A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0. |
Affected by 54 other vulnerabilities. |
|
VCID-ftrt-j7rc-pbct
Aliases: CVE-2022-41131 GHSA-cm43-f2pv-6v68 |
Affected by 59 other vulnerabilities. |
|
|
VCID-gbgf-jfzt-tqg1
Aliases: BIT-airflow-2021-45229 CVE-2021-45229 GHSA-65xw-pcqw-hjrh PYSEC-2022-29 |
It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below. |
Affected by 60 other vulnerabilities. |
|
VCID-gg94-fdbv-y7g1
Aliases: CVE-2023-28707 GHSA-85pf-r4c7-3j9r PYSEC-2023-3 |
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.This issue affects Apache Airflow Drill Provider: before 2.3.2. |
Affected by 57 other vulnerabilities. |
|
VCID-gt7b-5554-y7dq
Aliases: BIT-airflow-2021-28359 CVE-2021-28359 GHSA-3xxv-p78r-4fc6 PYSEC-2021-4 |
The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336). |
Affected by 64 other vulnerabilities. |
|
VCID-hgq2-kuex-y3a3
Aliases: BIT-airflow-2023-42663 CVE-2023-42663 GHSA-32wr-qqw6-5mfp PYSEC-2023-197 |
Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability. |
Affected by 31 other vulnerabilities. |
|
VCID-hpf3-3z3m-6ydt
Aliases: BIT-airflow-2024-25142 CVE-2024-25142 GHSA-9xpj-62mm-24h2 PYSEC-2024-195 |
Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser. This issue affects Apache Airflow: before 2.9.2. Users are recommended to upgrade to version 2.9.2, which fixes the issue. |
Affected by 19 other vulnerabilities. |
|
VCID-huhh-68py-hbe2
Aliases: CVE-2025-65995 GHSA-gfw7-2v73-69wg |
Apache Airflow error reporting may expose full kwargs When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG. The issue has been fixed in Airflow 3.1.5rc1 and 2.11.1, and users are strongly advised to upgrade to prevent potential disclosure of sensitive information. |
Affected by 9 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-j6uh-kx6m-sydp
Aliases: BIT-airflow-2026-25917 CVE-2026-25917 GHSA-6ffj-2wg2-w45j PYSEC-2026-13 |
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue. |
Affected by 2 other vulnerabilities. |
|
VCID-jqd6-8d26-7ya2
Aliases: CVE-2023-46215 GHSA-666g-rfc5-c9jv |
Apache Airflow Celery provider Insertion of Sensitive Information into Log File vulnerability Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow. Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend Note: the vulnerability is about the information exposed in the logs not about accessing the logs. This issue affects Apache Airflow Celery provider: from 3.3.0 through 3.4.0; Apache Airflow: from 1.10.0 through 2.6.3. Users are recommended to upgrade Airflow Celery provider to version 3.4.1 and Apache Airlfow to version 2.7.0 which fixes the issue. |
Affected by 39 other vulnerabilities. |
|
VCID-jrwf-mt69-1ydt
Aliases: BIT-airflow-2021-45230 CVE-2021-45230 GHSA-4jh2-3c85-q67h PYSEC-2022-11 |
In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for. |
Affected by 61 other vulnerabilities. |
|
VCID-kb4a-mm13-63bj
Aliases: BIT-airflow-2024-45784 CVE-2024-45784 GHSA-46c3-5xc5-wwhv PYSEC-2024-182 |
Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets. |
Affected by 13 other vulnerabilities. |
|
VCID-kgfb-yphg-n3ec
Aliases: BIT-airflow-2023-25754 CVE-2023-25754 GHSA-jchm-fm4q-c2fp PYSEC-2023-59 |
Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.6.0. |
Affected by 48 other vulnerabilities. Affected by 46 other vulnerabilities. |
|
VCID-ms13-tzaa-hkej
Aliases: BIT-airflow-2021-26697 CVE-2021-26697 GHSA-fh37-cx83-q542 PYSEC-2021-3 |
The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue affects Apache Airflow 2.0.0. |
Affected by 68 other vulnerabilities. Affected by 66 other vulnerabilities. |
|
VCID-nfbc-tutd-37bw
Aliases: BIT-airflow-2023-50783 CVE-2023-50783 GHSA-5938-79hg-xh3q PYSEC-2023-267 |
Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable. This flaw compromises the integrity of variable management, potentially leading to unauthorized data modification. Users are recommended to upgrade to 2.8.0, which fixes this issue |
Affected by 26 other vulnerabilities. |
|
VCID-p42d-ta7v-7yhn
Aliases: BIT-airflow-2022-38170 CVE-2022-38170 GHSA-q8h9-pqcx-59hw PYSEC-2022-261 |
In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver. |
Affected by 55 other vulnerabilities. |
|
VCID-pb3b-22wk-pbh5
Aliases: BIT-airflow-2023-39508 CVE-2023-39508 GHSA-269x-pg5c-5xgm PYSEC-2023-134 |
Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables authenticated user to bypass some of the restrictions put in place. It allows to execute code in the webserver context as well as allows to bypas limitation of access the user has to certain DAGs. The "Run Task" feature is considered dangerous and it has been removed entirely in Airflow 2.6.0 This issue affects Apache Airflow: before 2.6.0. |
Affected by 48 other vulnerabilities. Affected by 46 other vulnerabilities. |
|
VCID-pmtw-nwnc-nyfw
Aliases: BIT-airflow-2023-42792 CVE-2023-42792 GHSA-j3w8-2p2h-mrr9 PYSEC-2023-203 |
Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't. Users of Apache Airflow are strongly advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability. |
Affected by 31 other vulnerabilities. |
|
VCID-pqgj-ry81-6ua3
Aliases: BIT-airflow-2022-43985 CVE-2022-43985 GHSA-f9fq-78ch-4wmj PYSEC-2022-42971 |
In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint. |
Affected by 53 other vulnerabilities. Affected by 51 other vulnerabilities. |
|
VCID-qxnw-7urw-fud2
Aliases: BIT-airflow-2022-43982 CVE-2022-43982 GHSA-h63r-9xxf-f2c7 PYSEC-2022-42970 |
In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. |
Affected by 53 other vulnerabilities. Affected by 51 other vulnerabilities. |
|
VCID-r1b5-6vah-rydn
Aliases: CVE-2022-40189 GHSA-rmf2-pwfq-h75j |
Affected by 59 other vulnerabilities. |
|
|
VCID-rysu-xhvt-yqda
Aliases: BIT-airflow-2023-48291 CVE-2023-48291 GHSA-8f57-wcmg-4jmh PYSEC-2023-265 |
Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't. This is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2 Users of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability. |
Affected by 26 other vulnerabilities. |
|
VCID-s49h-br5r-5yh8
Aliases: BIT-airflow-2023-40712 CVE-2023-40712 GHSA-mjqh-v5f2-g2mw PYSEC-2023-171 |
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI. Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability. |
Affected by 36 other vulnerabilities. |
|
VCID-ssbp-gvfd-2kef
Aliases: BIT-airflow-2021-26559 CVE-2021-26559 GHSA-ffw3-6mp6-jmvj PYSEC-2021-2 |
Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0. |
Affected by 68 other vulnerabilities. Affected by 66 other vulnerabilities. |
|
VCID-tcjg-f9cn-mubj
Aliases: BIT-airflow-2020-17515 CVE-2020-17515 GHSA-86vp-x3pr-79rx PYSEC-2020-21 |
The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely. |
Affected by 65 other vulnerabilities. |
|
VCID-tpjn-4kru-vucv
Aliases: BIT-airflow-2026-30912 CVE-2026-30912 GHSA-w7cf-2pmc-5m4c PYSEC-2026-18 |
In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue. |
Affected by 2 other vulnerabilities. |
|
VCID-v2cz-mqkn-d7dz
Aliases: CVE-2026-40690 GHSA-w7rc-q6cm-f5gm |
Affected by 0 other vulnerabilities. |
|
|
VCID-vj7z-pmk3-cydg
Aliases: BIT-airflow-2023-37379 CVE-2023-37379 GHSA-x2mh-8fmc-rqgh PYSEC-2023-152 |
Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server. Users of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface. |
Affected by 39 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-vras-f42j-xqfg
Aliases: BIT-airflow-2025-68675 CVE-2025-68675 GHSA-7c2f-r6gc-h92h PYSEC-2026-10 |
In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed. Users are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue |
Affected by 9 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-vwv4-7y7y-9fcj
Aliases: BIT-airflow-2026-24098 CVE-2026-24098 GHSA-5g2w-9f8g-g5q7 PYSEC-2026-12 |
Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue |
Affected by 15 other vulnerabilities. |
|
VCID-vy44-rbar-w3fn
Aliases: BIT-airflow-2023-35908 CVE-2023-35908 GHSA-2h84-3crq-vgfj PYSEC-2023-119 |
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected |
Affected by 39 other vulnerabilities. |
|
VCID-w8ff-8479-rbfq
Aliases: BIT-airflow-2024-45034 CVE-2024-45034 GHSA-92xg-gmrq-5c3w PYSEC-2024-212 |
Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability. |
Affected by 15 other vulnerabilities. |
|
VCID-wfxr-hv5x-e3dz
Aliases: CVE-2025-54550 GHSA-q2hg-643c-gw8h |
Affected by 2 other vulnerabilities. |
|
|
VCID-xwza-guvs-83a9
Aliases: BIT-airflow-2024-39863 CVE-2024-39863 GHSA-j482-47xf-p25c PYSEC-2024-189 |
Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue. |
Affected by 17 other vulnerabilities. |
|
VCID-y76t-bjep-43fd
Aliases: CVE-2022-40954 GHSA-45r6-j3cc-6mxx |
Affected by 59 other vulnerabilities. |
|
|
VCID-yrx8-dtav-83av
Aliases: BIT-airflow-2024-27906 CVE-2024-27906 GHSA-6v6w-h8m6-7mv2 PYSEC-2024-245 |
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability |
Affected by 23 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||