Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:pypi/apache-airflow@2.11.0rc1
purl pkg:pypi/apache-airflow@2.11.0rc1
Next non-vulnerable version 3.2.0
Latest non-vulnerable version 3.2.1rc1
Risk 4.4
Vulnerabilities affecting this package (4)
Vulnerability Summary Fixed by
VCID-1azm-hsvr-f3e8
Aliases:
CVE-2023-25693
GHSA-j69x-v4wc-3fpf
PYSEC-2023-314
Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider. This issue affects Apache Airflow Sqoop Provider versions before 3.1.1.
3.1.1
Affected by 14 other vulnerabilities.
VCID-j6uh-kx6m-sydp
Aliases:
BIT-airflow-2026-25917
CVE-2026-25917
GHSA-6ffj-2wg2-w45j
PYSEC-2026-13
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.
3.2.0
Affected by 0 other vulnerabilities.
VCID-tpjn-4kru-vucv
Aliases:
BIT-airflow-2026-30912
CVE-2026-30912
GHSA-w7cf-2pmc-5m4c
PYSEC-2026-18
In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.
3.2.0
Affected by 0 other vulnerabilities.
VCID-vras-f42j-xqfg
Aliases:
BIT-airflow-2025-68675
CVE-2025-68675
GHSA-7c2f-r6gc-h92h
PYSEC-2026-10
In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed. Users are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue
2.11.1
Affected by 4 other vulnerabilities.
3.1.6
Affected by 11 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-05-31T09:47:52.844646+00:00 PyPI Importer Affected by VCID-tpjn-4kru-vucv https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip 38.6.0
2026-05-31T09:47:52.243941+00:00 PyPI Importer Affected by VCID-j6uh-kx6m-sydp https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip 38.6.0
2026-05-31T09:47:19.902494+00:00 PyPI Importer Affected by VCID-vras-f42j-xqfg https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip 38.6.0
2026-05-31T09:44:43.285025+00:00 PyPI Importer Affected by VCID-1azm-hsvr-f3e8 https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip 38.6.0
2026-05-30T20:38:14.726765+00:00 Pypa Importer Affected by VCID-tpjn-4kru-vucv https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2026-18.yaml 38.6.0
2026-05-30T20:38:13.507832+00:00 Pypa Importer Affected by VCID-j6uh-kx6m-sydp https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2026-13.yaml 38.6.0
2026-05-30T20:37:06.022527+00:00 Pypa Importer Affected by VCID-vras-f42j-xqfg https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2026-10.yaml 38.6.0
2026-05-30T20:31:26.262599+00:00 Pypa Importer Affected by VCID-1azm-hsvr-f3e8 https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2023-314.yaml 38.6.0