Search for packages
| purl | pkg:pypi/apache-airflow@2.9.0b2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1azm-hsvr-f3e8
Aliases: CVE-2023-25693 GHSA-j69x-v4wc-3fpf PYSEC-2023-314 |
Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider. This issue affects Apache Airflow Sqoop Provider versions before 3.1.1. |
Affected by 21 other vulnerabilities. |
|
VCID-4vxd-p4yy-37f8
Aliases: CVE-2026-38743 GHSA-p3v3-229h-mc63 |
Affected by 0 other vulnerabilities. |
|
|
VCID-5ppv-384x-ekeb
Aliases: CVE-2025-27555 GHSA-8r55-rv5w-6pfm |
Apache Airflow exposes sensitive information in its log files Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.11.1 or a later version, which addresses this issue. Users who previously used the CLI to set connections should manually delete entries with those connection sensitive values from the log table. This is similar but not the same issue as CVE-2024-50378 |
Affected by 9 other vulnerabilities. |
|
VCID-8htr-89h8-6fba
Aliases: CVE-2024-50378 GHSA-j857-2pwm-jjmm |
Affected by 13 other vulnerabilities. |
|
|
VCID-8m3p-yzr8-yyhj
Aliases: BIT-airflow-2024-41937 CVE-2024-41937 GHSA-w7cp-g8v7-r54m PYSEC-2024-181 |
Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability. |
Affected by 17 other vulnerabilities. |
|
VCID-8tgv-2cpd-xyh9
Aliases: CVE-2024-56373 GHSA-r837-hpv7-pc2f |
Apache Airflow vulnerable to Code Injection in the web-server context via LogTemplate table DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (server-side) as a result of a user viewing historical task information. The functionality responsible for that (log template history) has been disabled by default in 2.11.1 and users should upgrade to Airflow 3 if they want to continue to use log template history. They can also manually modify historical log file names if they want to see historical logs that were generated before the last log template change. |
Affected by 9 other vulnerabilities. |
|
VCID-9x6r-5m59-yyap
Aliases: BIT-airflow-2025-66236 CVE-2025-66236 GHSA-j86x-fwp2-qh7v PYSEC-2026-8 |
Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enough, even though Airflow's intentions and security model of Airflow did not suggest different assumptions. The overall security model [1], workload isolation [2], and JWT authentication details [3] are now described in more detail. Users concerned with role isolation and following the Airflow security model of Airflow are advised to upgrade to Airflow 3.2, where several security improvements have been implemented. They should also read and follow the relevant documents to make sure that their deployment is secure enough. It also clarifies that the Deployment Manager is ultimately responsible for securing your Airflow deployment. This had also been communicated via Airflow 3.2.0 Blog announcement [4]. [1] Security Model: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html [2] Workload isolation: https://airflow.apache.org/docs/apache-airflow/stable/security/workload.html [3] JWT Token authentication: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html [4] Airflow 3.2.0 Blog announcement: https://airflow.apache.org/blog/airflow-3.2.0/ Users are recommended to upgrade to version 3.2.0, which fixes this issue. |
Affected by 2 other vulnerabilities. |
|
VCID-ab9p-92n7-3kdb
Aliases: CVE-2026-25219 GHSA-4g48-54q2-fg7q |
Affected by 11 other vulnerabilities. |
|
|
VCID-g9j4-fhpm-uuba
Aliases: CVE-2024-31869 GHSA-2522-mrjc-m688 |
Apache Airflow: Sensitive configuration for providers displayed when "non-sensitive-only" config used Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the "configuration" UI page when "non-sensitive-only" was set as "webserver.expose_config" configuration (The celery provider is the only community provider currently that has sensitive configurations). You should migrate to Airflow 2.9 or change your "expose_config" configuration to False as a workaround. This is similar, but different to CVE-2023-46288 https://github.com/advisories/GHSA-9qqg-mh7c-chfq which concerned API, not UI configuration page. |
Affected by 21 other vulnerabilities. |
|
VCID-hpf3-3z3m-6ydt
Aliases: BIT-airflow-2024-25142 CVE-2024-25142 GHSA-9xpj-62mm-24h2 PYSEC-2024-195 |
Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser. This issue affects Apache Airflow: before 2.9.2. Users are recommended to upgrade to version 2.9.2, which fixes the issue. |
Affected by 19 other vulnerabilities. |
|
VCID-huhh-68py-hbe2
Aliases: CVE-2025-65995 GHSA-gfw7-2v73-69wg |
Apache Airflow error reporting may expose full kwargs When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG. The issue has been fixed in Airflow 3.1.5rc1 and 2.11.1, and users are strongly advised to upgrade to prevent potential disclosure of sensitive information. |
Affected by 9 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-j6uh-kx6m-sydp
Aliases: BIT-airflow-2026-25917 CVE-2026-25917 GHSA-6ffj-2wg2-w45j PYSEC-2026-13 |
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue. |
Affected by 2 other vulnerabilities. |
|
VCID-kb4a-mm13-63bj
Aliases: BIT-airflow-2024-45784 CVE-2024-45784 GHSA-46c3-5xc5-wwhv PYSEC-2024-182 |
Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets. |
Affected by 13 other vulnerabilities. |
|
VCID-mbgq-fq5n-kufh
Aliases: BIT-airflow-2024-39877 CVE-2024-39877 GHSA-g5hv-r743-v8pm PYSEC-2024-190 |
Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability. |
Affected by 17 other vulnerabilities. |
|
VCID-tpjn-4kru-vucv
Aliases: BIT-airflow-2026-30912 CVE-2026-30912 GHSA-w7cf-2pmc-5m4c PYSEC-2026-18 |
In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue. |
Affected by 2 other vulnerabilities. |
|
VCID-v2cz-mqkn-d7dz
Aliases: CVE-2026-40690 GHSA-w7rc-q6cm-f5gm |
Affected by 0 other vulnerabilities. |
|
|
VCID-vras-f42j-xqfg
Aliases: BIT-airflow-2025-68675 CVE-2025-68675 GHSA-7c2f-r6gc-h92h PYSEC-2026-10 |
In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed. Users are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue |
Affected by 9 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-vwv4-7y7y-9fcj
Aliases: BIT-airflow-2026-24098 CVE-2026-24098 GHSA-5g2w-9f8g-g5q7 PYSEC-2026-12 |
Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue |
Affected by 15 other vulnerabilities. |
|
VCID-w8ff-8479-rbfq
Aliases: BIT-airflow-2024-45034 CVE-2024-45034 GHSA-92xg-gmrq-5c3w PYSEC-2024-212 |
Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability. |
Affected by 15 other vulnerabilities. |
|
VCID-wfxr-hv5x-e3dz
Aliases: CVE-2025-54550 GHSA-q2hg-643c-gw8h |
Affected by 2 other vulnerabilities. |
|
|
VCID-xwza-guvs-83a9
Aliases: BIT-airflow-2024-39863 CVE-2024-39863 GHSA-j482-47xf-p25c PYSEC-2024-189 |
Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue. |
Affected by 17 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||