{"url":"http://public2.vulnerablecode.io/api/packages/32001?format=json","purl":"pkg:pypi/apache-airflow@2.7.1rc1","type":"pypi","namespace":"","name":"apache-airflow","version":"2.7.1rc1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.2.2","latest_non_vulnerable_version":"3.2.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50344?format=json","vulnerability_id":"VCID-1fj3-3bdw-nbch","summary":"Apache Airflow exposes sensitive information in its log files\nAirflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.11.1 or a later version, which addresses this issue. Users who previously used the CLI to set connections should manually delete entries with those connection sensitive values from the log table. This is similar but not the same issue as CVE-2024-50378","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27555","reference_id":"","reference_type":"","scores":[{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08636","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08684","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08704","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08688","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27555"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/pull/61882","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:39:35Z/"}],"url":"https://github.com/apache/airflow/pull/61882"},{"reference_url":"https://lists.apache.org/thread/nxovkp319jo8vg498gql1yswtb2frbkw","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:39:35Z/"}],"url":"https://lists.apache.org/thread/nxovkp319jo8vg498gql1yswtb2frbkw"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27555","reference_id":"CVE-2025-27555","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27555"},{"reference_url":"https://github.com/advisories/GHSA-8r55-rv5w-6pfm","reference_id":"GHSA-8r55-rv5w-6pfm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8r55-rv5w-6pfm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32056?format=json","purl":"pkg:pypi/apache-airflow@2.11.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.11.1"}],"aliases":["CVE-2025-27555","GHSA-8r55-rv5w-6pfm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1fj3-3bdw-nbch"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36574?format=json","vulnerability_id":"VCID-1jx5-34px-ukbz","summary":"Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerability that allows an authenticated user to retrieve sensitive configuration information when the \"expose_config\" option is set to \"non-sensitive-only\". The `expose_config` option is False by default.\nIt is recommended to upgrade to a version that is not affected.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-45348","reference_id":"","reference_type":"","scores":[{"value":"0.00395","scoring_system":"epss","scoring_elements":"0.60758","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00395","scoring_system":"epss","scoring_elements":"0.60751","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00395","scoring_system":"epss","scoring_elements":"0.6073","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00395","scoring_system":"epss","scoring_elements":"0.60747","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-45348"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/a4a0b5dd3d0ce05311c70bb9a32b66a650dbc0b4","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/a4a0b5dd3d0ce05311c70bb9a32b66a650dbc0b4"},{"reference_url":"https://github.com/apache/airflow/pull/34712","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-17T15:27:01Z/"}],"url":"https://github.com/apache/airflow/pull/34712"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-204.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-204.yaml"},{"reference_url":"https://lists.apache.org/thread/sy4l5d6tn58hr8r61r2fkt1f0qock9z9","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-17T15:27:01Z/"}],"url":"https://lists.apache.org/thread/sy4l5d6tn58hr8r61r2fkt1f0qock9z9"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/10/23/2","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-17T15:27:01Z/"}],"url":"http://www.openwall.com/lists/oss-security/2023/10/23/2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45348","reference_id":"CVE-2023-45348","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45348"},{"reference_url":"https://github.com/advisories/GHSA-fpxx-xv4c-gxqp","reference_id":"GHSA-fpxx-xv4c-gxqp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fpxx-xv4c-gxqp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32005?format=json","purl":"pkg:pypi/apache-airflow@2.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-3h3z-bfsc-jqax"},{"vulnerability":"VCID-4ga6-4111-dyc9"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-6vg9-hu9u-q7c3"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-835a-arqz-g7h7"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-98yf-mvnw-d3b4"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-amac-hqnj-xfgz"},{"vulnerability":"VCID-c5dx-r8gh-93fm"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-fbjk-2uvy-mqfc"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-j86y-n37n-n7ft"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-t7xp-8ua7-d7ff"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-wb11-e3rz-e3cf"},{"vulnerability":"VCID-x9ns-34nt-gfer"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2"}],"aliases":["BIT-airflow-2023-45348","CVE-2023-45348","GHSA-fpxx-xv4c-gxqp","PYSEC-2023-204"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1jx5-34px-ukbz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51349?format=json","vulnerability_id":"VCID-1w96-f72k-ryap","summary":"A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack — e.g. `/etc/passwd` or `airflow.cfg`) or (b) supply a `task_id` containing `..` sequences accepted by the Task SDK's `KEY_REGEX` (write-path attack), and in both cases the FileTaskHandler resolves the log path outside the configured `base_log_folder`, leaking or overwriting arbitrary files. Only affects deployments where the worker log folder is shared with the API server. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deploy the worker and API server with separate log volumes so that worker-controlled paths cannot reach the API server's filesystem.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40861","reference_id":"","reference_type":"","scores":[{"value":"0.00092","scoring_system":"epss","scoring_elements":"0.25928","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00092","scoring_system":"epss","scoring_elements":"0.25919","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00103","scoring_system":"epss","scoring_elements":"0.27726","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00103","scoring_system":"epss","scoring_elements":"0.27677","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40861"},{"reference_url":"https://github.com/apache/airflow/pull/65325","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-02T16:33:03Z/"}],"url":"https://github.com/apache/airflow/pull/65325"},{"reference_url":"https://lists.apache.org/thread/823334db2559xjlwt59gpzjz47thnscl","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-02T16:33:03Z/"}],"url":"https://lists.apache.org/thread/823334db2559xjlwt59gpzjz47thnscl"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/05/31/1","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}],"url":"http://www.openwall.com/lists/oss-security/2026/05/31/1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75455?format=json","purl":"pkg:pypi/apache-airflow@3.2.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.2"}],"aliases":["BIT-airflow-2026-40861","CVE-2026-40861","PYSEC-2026-181"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1w96-f72k-ryap"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89490?format=json","vulnerability_id":"VCID-29g4-vwe3-2kh2","summary":"Apache Airlfow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access\nThe `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidently logged to logs, those values could be seen in the logs. Azure Service Bus used those properties to store sensitive values. Possibly other providers could be also affected if they used the same fields to store sensitive data.\n\nIf you used Azure Service Bus connection with those values set or if you have other connections with those values storing senesitve values, you should upgrade Airflow to 3.1.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25219","reference_id":"","reference_type":"","scores":[{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09732","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09667","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09724","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.0975","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25219"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/pull/61580","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T19:53:19Z/"}],"url":"https://github.com/apache/airflow/pull/61580"},{"reference_url":"https://github.com/apache/airflow/pull/61582","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T19:53:19Z/"}],"url":"https://github.com/apache/airflow/pull/61582"},{"reference_url":"https://lists.apache.org/thread/t4dlmqkn0njz4chk3g7mdgzb96y4ttqh","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T19:53:19Z/"}],"url":"https://lists.apache.org/thread/t4dlmqkn0njz4chk3g7mdgzb96y4ttqh"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25219","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25219"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/04/15/3","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/04/15/3"},{"reference_url":"https://github.com/advisories/GHSA-4g48-54q2-fg7q","reference_id":"GHSA-4g48-54q2-fg7q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4g48-54q2-fg7q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/48814?format=json","purl":"pkg:pypi/apache-airflow@3.1.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-9ru4-qyks-hybs"},{"vulnerability":"VCID-dhj9-usjr-nbfe"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-dzfs-e5ys-fbhz"},{"vulnerability":"VCID-e26f-ucw8-m7hf"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-etmw-7eq5-mqa2"},{"vulnerability":"VCID-geg4-1kgh-akde"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-ps4f-qrfn-myb8"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-xd5g-jkrd-67cr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.8"}],"aliases":["CVE-2026-25219","GHSA-4g48-54q2-fg7q"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-29g4-vwe3-2kh2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90076?format=json","vulnerability_id":"VCID-2ajq-ewgt-b7c5","summary":"Apache Airflow's authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance record\nThe authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts (including their request parameters) and full TaskInstance details for DAGs outside their authorized scope. Because HITL prompts and TaskInstance fields routinely carry operator parameters and free-form context attached to a task, the leak widens visibility of DAG-run data beyond the intended per-DAG RBAC boundary for every authenticated user.\n\nUsers are recommended to upgrade to version 3.2.1 , which fixes this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-38743","reference_id":"","reference_type":"","scores":[{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20453","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20336","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20403","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20441","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-38743"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/fed4921098d51fd3ec17b7f5cff80f6c36fd05e2","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/fed4921098d51fd3ec17b7f5cff80f6c36fd05e2"},{"reference_url":"https://github.com/apache/airflow/pull/64822","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T14:21:58Z/"}],"url":"https://github.com/apache/airflow/pull/64822"},{"reference_url":"https://lists.apache.org/thread/sk2wj0x48o8qb4p7c47gvnhjbm0mg396","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T14:21:58Z/"}],"url":"https://lists.apache.org/thread/sk2wj0x48o8qb4p7c47gvnhjbm0mg396"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-38743","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-38743"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/04/24/3","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/04/24/3"},{"reference_url":"https://github.com/advisories/GHSA-p3v3-229h-mc63","reference_id":"GHSA-p3v3-229h-mc63","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p3v3-229h-mc63"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75448?format=json","purl":"pkg:pypi/apache-airflow@3.2.1rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-2zj7-8yhg-8qen"},{"vulnerability":"VCID-4nax-1d7y-1kbh"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-9ru4-qyks-hybs"},{"vulnerability":"VCID-dhj9-usjr-nbfe"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-dzfs-e5ys-fbhz"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-frvt-ng4a-jqfh"},{"vulnerability":"VCID-pu6f-xhvm-q3du"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.1rc1"}],"aliases":["CVE-2026-38743","GHSA-p3v3-229h-mc63"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2ajq-ewgt-b7c5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37294?format=json","vulnerability_id":"VCID-2xr2-w3hk-auck","summary":"Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.\n\nUsers are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25917","reference_id":"","reference_type":"","scores":[{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16042","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16128","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16174","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16182","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25917"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/pull/61641","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-22T03:55:40Z/"}],"url":"https://github.com/apache/airflow/pull/61641"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-13.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-13.yaml"},{"reference_url":"https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwlv4hq3po","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-22T03:55:40Z/"}],"url":"https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwlv4hq3po"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25917","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25917"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/04/17/9","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/04/17/9"},{"reference_url":"https://github.com/advisories/GHSA-6ffj-2wg2-w45j","reference_id":"GHSA-6ffj-2wg2-w45j","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6ffj-2wg2-w45j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49522?format=json","purl":"pkg:pypi/apache-airflow@3.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2zj7-8yhg-8qen"},{"vulnerability":"VCID-4nax-1d7y-1kbh"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-9ru4-qyks-hybs"},{"vulnerability":"VCID-dhj9-usjr-nbfe"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-dzfs-e5ys-fbhz"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-frvt-ng4a-jqfh"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-pu6f-xhvm-q3du"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0"}],"aliases":["BIT-airflow-2026-25917","CVE-2026-25917","GHSA-6ffj-2wg2-w45j","PYSEC-2026-13"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2xr2-w3hk-auck"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36650?format=json","vulnerability_id":"VCID-3h3z-bfsc-jqax","summary":"Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable.\nThis flaw compromises the integrity of variable management, potentially leading to unauthorized data modification.\nUsers are recommended to upgrade to 2.8.0, which fixes this issue","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-50783","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12859","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12944","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.1298","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12984","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-50783"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/0e1c106d7cd0703125528a691088e42e17c99929","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/0e1c106d7cd0703125528a691088e42e17c99929"},{"reference_url":"https://github.com/apache/airflow/pull/33932","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/pull/33932"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-267.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-267.yaml"},{"reference_url":"https://lists.apache.org/thread/rs7cr3yp726mb89s1m844hy9pq7frgcn","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/rs7cr3yp726mb89s1m844hy9pq7frgcn"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/12/21/4","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2023/12/21/4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-50783","reference_id":"CVE-2023-50783","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-50783"},{"reference_url":"https://github.com/advisories/GHSA-5938-79hg-xh3q","reference_id":"GHSA-5938-79hg-xh3q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5938-79hg-xh3q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32013?format=json","purl":"pkg:pypi/apache-airflow@2.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-4ga6-4111-dyc9"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-6vg9-hu9u-q7c3"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-835a-arqz-g7h7"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-amac-hqnj-xfgz"},{"vulnerability":"VCID-c5dx-r8gh-93fm"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-e5dn-tpzy-qqec"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-x9ns-34nt-gfer"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0"}],"aliases":["BIT-airflow-2023-50783","CVE-2023-50783","GHSA-5938-79hg-xh3q","PYSEC-2023-267"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3h3z-bfsc-jqax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36700?format=json","vulnerability_id":"VCID-4ga6-4111-dyc9","summary":"Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-50944","reference_id":"","reference_type":"","scores":[{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.34838","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.34766","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.34802","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.34821","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-50944"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/8d76538d6e105947272b000581c6fabec20146b1","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/8d76538d6e105947272b000581c6fabec20146b1"},{"reference_url":"https://github.com/apache/airflow/pull/36257","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-26T15:48:59Z/"}],"url":"https://github.com/apache/airflow/pull/36257"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-14.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-14.yaml"},{"reference_url":"https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-26T15:48:59Z/"}],"url":"https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/01/24/5","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-26T15:48:59Z/"}],"url":"http://www.openwall.com/lists/oss-security/2024/01/24/5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-50944","reference_id":"CVE-2023-50944","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-50944"},{"reference_url":"https://github.com/advisories/GHSA-vm5m-qmrx-fw8w","reference_id":"GHSA-vm5m-qmrx-fw8w","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vm5m-qmrx-fw8w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32014?format=json","purl":"pkg:pypi/apache-airflow@2.8.1rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-4ga6-4111-dyc9"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-6vg9-hu9u-q7c3"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-835a-arqz-g7h7"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-amac-hqnj-xfgz"},{"vulnerability":"VCID-c5dx-r8gh-93fm"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-e5dn-tpzy-qqec"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-x9ns-34nt-gfer"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1rc1"},{"url":"http://public2.vulnerablecode.io/api/packages/32015?format=json","purl":"pkg:pypi/apache-airflow@2.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-6vg9-hu9u-q7c3"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-835a-arqz-g7h7"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-c5dx-r8gh-93fm"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-e5dn-tpzy-qqec"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-x9ns-34nt-gfer"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1"}],"aliases":["BIT-airflow-2023-50944","CVE-2023-50944","GHSA-vm5m-qmrx-fw8w","PYSEC-2024-14"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4ga6-4111-dyc9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36861?format=json","vulnerability_id":"VCID-56eq-awhd-d3fr","summary":"Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. \nUsers are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45034","reference_id":"","reference_type":"","scores":[{"value":"0.03097","scoring_system":"epss","scoring_elements":"0.87048","published_at":"2026-06-08T12:55:00Z"},{"value":"0.03097","scoring_system":"epss","scoring_elements":"0.87054","published_at":"2026-06-07T12:55:00Z"},{"value":"0.03097","scoring_system":"epss","scoring_elements":"0.87059","published_at":"2026-06-06T12:55:00Z"},{"value":"0.03097","scoring_system":"epss","scoring_elements":"0.87062","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45034"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/03e01e76d2203d37aa645096df195b4328665f6d","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/03e01e76d2203d37aa645096df195b4328665f6d"},{"reference_url":"https://github.com/apache/airflow/pull/41672","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-09T13:50:48Z/"}],"url":"https://github.com/apache/airflow/pull/41672"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-212.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-212.yaml"},{"reference_url":"https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-09T13:50:48Z/"}],"url":"https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/09/06/3","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2024/09/06/3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45034","reference_id":"CVE-2024-45034","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45034"},{"reference_url":"https://github.com/advisories/GHSA-92xg-gmrq-5c3w","reference_id":"GHSA-92xg-gmrq-5c3w","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-92xg-gmrq-5c3w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32042?format=json","purl":"pkg:pypi/apache-airflow@2.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.1"}],"aliases":["BIT-airflow-2024-45034","CVE-2024-45034","GHSA-92xg-gmrq-5c3w","PYSEC-2024-212"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-56eq-awhd-d3fr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36572?format=json","vulnerability_id":"VCID-5cpd-kjpb-ekhv","summary":"Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs.\nUsers of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-42663","reference_id":"","reference_type":"","scores":[{"value":"0.00401","scoring_system":"epss","scoring_elements":"0.61103","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00401","scoring_system":"epss","scoring_elements":"0.61081","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00401","scoring_system":"epss","scoring_elements":"0.61099","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00401","scoring_system":"epss","scoring_elements":"0.61111","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-42663"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/pull/34315","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/pull/34315"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-197.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-197.yaml"},{"reference_url":"https://lists.apache.org/thread/xj86cvfkxgd0cyqfmz6mh1bsfc61c6o9","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/xj86cvfkxgd0cyqfmz6mh1bsfc61c6o9"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/11/12/2","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2023/11/12/2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42663","reference_id":"CVE-2023-42663","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42663"},{"reference_url":"https://github.com/advisories/GHSA-32wr-qqw6-5mfp","reference_id":"GHSA-32wr-qqw6-5mfp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-32wr-qqw6-5mfp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32005?format=json","purl":"pkg:pypi/apache-airflow@2.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-3h3z-bfsc-jqax"},{"vulnerability":"VCID-4ga6-4111-dyc9"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-6vg9-hu9u-q7c3"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-835a-arqz-g7h7"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-98yf-mvnw-d3b4"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-amac-hqnj-xfgz"},{"vulnerability":"VCID-c5dx-r8gh-93fm"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-fbjk-2uvy-mqfc"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-j86y-n37n-n7ft"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-t7xp-8ua7-d7ff"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-wb11-e3rz-e3cf"},{"vulnerability":"VCID-x9ns-34nt-gfer"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2"}],"aliases":["BIT-airflow-2023-42663","CVE-2023-42663","GHSA-32wr-qqw6-5mfp","PYSEC-2023-197"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5cpd-kjpb-ekhv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51370?format=json","vulnerability_id":"VCID-5jyk-dgtu-zfhd","summary":"Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — the default on single-host deployments where the DAG bundle is importable from the scheduler process — could embed a custom `DeadlineReference` whose serialized form named an attacker-controlled module path, causing the scheduler to `import_string(...)` and instantiate that class with a live SQLAlchemy session attached. Affects deployments where DAG-author code is less trusted than the scheduler process. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45360","reference_id":"","reference_type":"","scores":[{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20505","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20492","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00086","scoring_system":"epss","scoring_elements":"0.24823","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00086","scoring_system":"epss","scoring_elements":"0.24765","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45360"},{"reference_url":"https://github.com/apache/airflow/pull/66737","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-06-02T15:48:16Z/"}],"url":"https://github.com/apache/airflow/pull/66737"},{"reference_url":"https://lists.apache.org/thread/q227dghjwgfz8xsxrf2pwpz4wk43zm83","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-06-02T15:48:16Z/"}],"url":"https://lists.apache.org/thread/q227dghjwgfz8xsxrf2pwpz4wk43zm83"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/05/31/12","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"http://www.openwall.com/lists/oss-security/2026/05/31/12"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75455?format=json","purl":"pkg:pypi/apache-airflow@3.2.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.2"}],"aliases":["BIT-airflow-2026-45360","CVE-2026-45360","PYSEC-2026-186"],"risk_score":3.3,"exploitability":"0.5","weighted_severity":"6.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5jyk-dgtu-zfhd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36544?format=json","vulnerability_id":"VCID-5zmy-2ape-7qfa","summary":"Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI.\n\nUsers are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40712","reference_id":"","reference_type":"","scores":[{"value":"0.00136","scoring_system":"epss","scoring_elements":"0.33301","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00136","scoring_system":"epss","scoring_elements":"0.33316","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34492","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34533","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40712"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/4390524a41fdfd2d57f1d2dc98ad7b4009c8399e","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/4390524a41fdfd2d57f1d2dc98ad7b4009c8399e"},{"reference_url":"https://github.com/apache/airflow/commit/d9814eb3a2fc1dbbb885a0a2c1b7a23ce1cfa148","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/d9814eb3a2fc1dbbb885a0a2c1b7a23ce1cfa148"},{"reference_url":"https://github.com/apache/airflow/pull/33512","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T15:02:02Z/"}],"url":"https://github.com/apache/airflow/pull/33512"},{"reference_url":"https://github.com/apache/airflow/pull/33516","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T15:02:02Z/"}],"url":"https://github.com/apache/airflow/pull/33516"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-171.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-171.yaml"},{"reference_url":"https://lists.apache.org/thread/jw1yv4lt6hpowqbb0x4o3tdp0jhx2bts","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T15:02:02Z/"}],"url":"https://lists.apache.org/thread/jw1yv4lt6hpowqbb0x4o3tdp0jhx2bts"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40712","reference_id":"CVE-2023-40712","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40712"},{"reference_url":"https://github.com/advisories/GHSA-mjqh-v5f2-g2mw","reference_id":"GHSA-mjqh-v5f2-g2mw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mjqh-v5f2-g2mw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32003?format=json","purl":"pkg:pypi/apache-airflow@2.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1jx5-34px-ukbz"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-3h3z-bfsc-jqax"},{"vulnerability":"VCID-4ga6-4111-dyc9"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5cpd-kjpb-ekhv"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-6vg9-hu9u-q7c3"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-835a-arqz-g7h7"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-98yf-mvnw-d3b4"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-amac-hqnj-xfgz"},{"vulnerability":"VCID-c5dx-r8gh-93fm"},{"vulnerability":"VCID-csqr-pdvv-gfbh"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-fbjk-2uvy-mqfc"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-j86y-n37n-n7ft"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-njyy-ywer-x7bf"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-t476-g5u5-1yeh"},{"vulnerability":"VCID-t7xp-8ua7-d7ff"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-wb11-e3rz-e3cf"},{"vulnerability":"VCID-x9ns-34nt-gfer"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.1"}],"aliases":["BIT-airflow-2023-40712","CVE-2023-40712","GHSA-mjqh-v5f2-g2mw","PYSEC-2023-171"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5zmy-2ape-7qfa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36744?format=json","vulnerability_id":"VCID-6vg9-hu9u-q7c3","summary":"Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.\n\nUsers of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-27906","reference_id":"","reference_type":"","scores":[{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16208","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16289","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16332","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16333","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-27906"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/08d25607abe8593ecb90a84e338896bb79692d7b","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/08d25607abe8593ecb90a84e338896bb79692d7b"},{"reference_url":"https://github.com/apache/airflow/commit/0a95299691e2d6a9b874adfae94d246a7f681ec9","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/0a95299691e2d6a9b874adfae94d246a7f681ec9"},{"reference_url":"https://github.com/apache/airflow/commit/2adbe882e68df0e2b1084bc869616bb01e416aa7","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/2adbe882e68df0e2b1084bc869616bb01e416aa7"},{"reference_url":"https://github.com/apache/airflow/commit/2cb6027280bcf5e2b561f3ee7f55980f6ec4cc3a","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/2cb6027280bcf5e2b561f3ee7f55980f6ec4cc3a"},{"reference_url":"https://github.com/apache/airflow/commit/90255d9d44a649025f588497f6c82177dad48326","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/90255d9d44a649025f588497f6c82177dad48326"},{"reference_url":"https://github.com/apache/airflow/commit/9c4defa08268322b9db80123a22d7b56b2063446","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/9c4defa08268322b9db80123a22d7b56b2063446"},{"reference_url":"https://github.com/apache/airflow/commit/a7fa258ba1c69a18e0f620499625f6026768dc24","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/a7fa258ba1c69a18e0f620499625f6026768dc24"},{"reference_url":"https://github.com/apache/airflow/commit/bc2646be043f71b4d1ab7eefd2af65a60bf919f2","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/bc2646be043f71b4d1ab7eefd2af65a60bf919f2"},{"reference_url":"https://github.com/apache/airflow/commit/d944eb0de216d9e1d125fae5ce4af7440154deb4","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/d944eb0de216d9e1d125fae5ce4af7440154deb4"},{"reference_url":"https://github.com/apache/airflow/pull/37290","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T20:43:33Z/"}],"url":"https://github.com/apache/airflow/pull/37290"},{"reference_url":"https://github.com/apache/airflow/pull/37468","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T20:43:33Z/"}],"url":"https://github.com/apache/airflow/pull/37468"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-245.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-245.yaml"},{"reference_url":"https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T20:43:33Z/"}],"url":"https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/02/29/1","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2024/02/29/1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27906","reference_id":"CVE-2024-27906","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27906"},{"reference_url":"https://github.com/advisories/GHSA-6v6w-h8m6-7mv2","reference_id":"GHSA-6v6w-h8m6-7mv2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6v6w-h8m6-7mv2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32019?format=json","purl":"pkg:pypi/apache-airflow@2.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-c5dx-r8gh-93fm"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-e5dn-tpzy-qqec"},{"vulnerability":"VCID-egd2-gh55-qfgj"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-x9ns-34nt-gfer"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.2"}],"aliases":["BIT-airflow-2024-27906","CVE-2024-27906","GHSA-6v6w-h8m6-7mv2","PYSEC-2024-245"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6vg9-hu9u-q7c3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50339?format=json","vulnerability_id":"VCID-7a12-nqbv-7fe1","summary":"Apache Airflow vulnerable to Code Injection in the web-server context via LogTemplate table\nDAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (server-side) as a result of a user viewing historical task information.\n\nThe functionality responsible for that (log template history) has been disabled by default in 2.11.1 and users should upgrade to Airflow 3 if they want to continue to use log template history. They can also manually modify historical log file names if they want to see historical logs that were generated before the last log template change.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56373","reference_id":"","reference_type":"","scores":[{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.1172","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11802","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11835","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11841","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56373"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/pull/61880","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-25T04:55:43Z/"}],"url":"https://github.com/apache/airflow/pull/61880"},{"reference_url":"https://lists.apache.org/thread/2vrmrhcht6g7cp5yjxpnrk2wtrncm6cy","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-25T04:55:43Z/"}],"url":"https://lists.apache.org/thread/2vrmrhcht6g7cp5yjxpnrk2wtrncm6cy"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/02/23/3","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/02/23/3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56373","reference_id":"CVE-2024-56373","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56373"},{"reference_url":"https://github.com/advisories/GHSA-r837-hpv7-pc2f","reference_id":"GHSA-r837-hpv7-pc2f","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r837-hpv7-pc2f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32056?format=json","purl":"pkg:pypi/apache-airflow@2.11.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.11.1"}],"aliases":["CVE-2024-56373","GHSA-r837-hpv7-pc2f"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7a12-nqbv-7fe1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36745?format=json","vulnerability_id":"VCID-835a-arqz-g7h7","summary":"Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.\n\nUsers of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-26280","reference_id":"","reference_type":"","scores":[{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45539","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45494","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45519","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45535","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-26280"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/1a96407cd2d76616c1137de288f092d4f3b097fa","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/1a96407cd2d76616c1137de288f092d4f3b097fa"},{"reference_url":"https://github.com/apache/airflow/commit/7f10998c17ab9d725bc8671deb4c12d672bfba99","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/7f10998c17ab9d725bc8671deb4c12d672bfba99"},{"reference_url":"https://github.com/apache/airflow/commit/8324c87e05741e5a673c43b315619a3788bacc2e","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/8324c87e05741e5a673c43b315619a3788bacc2e"},{"reference_url":"https://github.com/apache/airflow/commit/8463ee4f25114a6c5fb2408d6026afe94bdf106d","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/8463ee4f25114a6c5fb2408d6026afe94bdf106d"},{"reference_url":"https://github.com/apache/airflow/commit/f2ea8a3e1753012bfe0d529c9c8be66cf55ca28f","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/f2ea8a3e1753012bfe0d529c9c8be66cf55ca28f"},{"reference_url":"https://github.com/apache/airflow/commit/f4b9cc74976b7df1acbc3c63471b5751b3e2c40c","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/f4b9cc74976b7df1acbc3c63471b5751b3e2c40c"},{"reference_url":"https://github.com/apache/airflow/pull/37501","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-01T15:36:34Z/"}],"url":"https://github.com/apache/airflow/pull/37501"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-42.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-42.yaml"},{"reference_url":"https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-01T15:36:34Z/"}],"url":"https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/03/01/1","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-01T15:36:34Z/"}],"url":"http://www.openwall.com/lists/oss-security/2024/03/01/1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26280","reference_id":"CVE-2024-26280","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26280"},{"reference_url":"https://github.com/advisories/GHSA-6xwf-xvf3-v459","reference_id":"GHSA-6xwf-xvf3-v459","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6xwf-xvf3-v459"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32019?format=json","purl":"pkg:pypi/apache-airflow@2.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-c5dx-r8gh-93fm"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-e5dn-tpzy-qqec"},{"vulnerability":"VCID-egd2-gh55-qfgj"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-x9ns-34nt-gfer"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.2"}],"aliases":["BIT-airflow-2024-26280","CVE-2024-26280","GHSA-6xwf-xvf3-v459","PYSEC-2024-42"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-835a-arqz-g7h7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37295?format=json","vulnerability_id":"VCID-91n6-evww-zybp","summary":"In case of SQL errors, exception/stack trace of errors was exposed in API even if \"api/expose_stack_traces\" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30912","reference_id":"","reference_type":"","scores":[{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26379","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26478","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26487","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26436","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30912"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/pull/63028","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-20T15:56:44Z/"}],"url":"https://github.com/apache/airflow/pull/63028"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-18.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-18.yaml"},{"reference_url":"https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5x80w8r9","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-20T15:56:44Z/"}],"url":"https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5x80w8r9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30912","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30912"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/04/17/5","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/04/17/5"},{"reference_url":"https://github.com/advisories/GHSA-w7cf-2pmc-5m4c","reference_id":"GHSA-w7cf-2pmc-5m4c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w7cf-2pmc-5m4c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49522?format=json","purl":"pkg:pypi/apache-airflow@3.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2zj7-8yhg-8qen"},{"vulnerability":"VCID-4nax-1d7y-1kbh"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-9ru4-qyks-hybs"},{"vulnerability":"VCID-dhj9-usjr-nbfe"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-dzfs-e5ys-fbhz"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-frvt-ng4a-jqfh"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-pu6f-xhvm-q3du"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0"}],"aliases":["BIT-airflow-2026-30912","CVE-2026-30912","GHSA-w7cf-2pmc-5m4c","PYSEC-2026-18"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-91n6-evww-zybp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36607?format=json","vulnerability_id":"VCID-98yf-mvnw-d3b4","summary":"Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs.  This is a different issue than CVE-2023-42663 but leading to similar outcome.\nUsers of Apache Airflow are advised to upgrade to version 2.7.3 or newer to mitigate the risk associated with this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-42781","reference_id":"","reference_type":"","scores":[{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17164","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17283","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17244","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.1728","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-42781"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/33ec72948f74f56f2adb5e2d388e60e88e8a3fa3","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/33ec72948f74f56f2adb5e2d388e60e88e8a3fa3"},{"reference_url":"https://github.com/apache/airflow/pull/34939","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:20:08Z/"}],"url":"https://github.com/apache/airflow/pull/34939"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-231.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-231.yaml"},{"reference_url":"https://lists.apache.org/thread/7dnl8nszdxqyns57f3dw0sloy5dfl9o1","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:20:08Z/"}],"url":"https://lists.apache.org/thread/7dnl8nszdxqyns57f3dw0sloy5dfl9o1"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/11/12/2","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:20:08Z/"}],"url":"http://www.openwall.com/lists/oss-security/2023/11/12/2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42781","reference_id":"CVE-2023-42781","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42781"},{"reference_url":"https://github.com/advisories/GHSA-r7x6-xfcm-3mxv","reference_id":"GHSA-r7x6-xfcm-3mxv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r7x6-xfcm-3mxv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32007?format=json","purl":"pkg:pypi/apache-airflow@2.7.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-3h3z-bfsc-jqax"},{"vulnerability":"VCID-4ga6-4111-dyc9"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-6vg9-hu9u-q7c3"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-835a-arqz-g7h7"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-amac-hqnj-xfgz"},{"vulnerability":"VCID-c5dx-r8gh-93fm"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-j86y-n37n-n7ft"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-t7xp-8ua7-d7ff"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-wb11-e3rz-e3cf"},{"vulnerability":"VCID-x9ns-34nt-gfer"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.3"}],"aliases":["BIT-airflow-2023-42781","CVE-2023-42781","GHSA-r7x6-xfcm-3mxv","PYSEC-2023-231"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-98yf-mvnw-d3b4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36836?format=json","vulnerability_id":"VCID-a64u-53x6-dfge","summary":"Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39877","reference_id":"","reference_type":"","scores":[{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.31706","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.31778","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.31673","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.31744","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39877"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/8159f6e24704f5e0e3b3217cf79ecf5083dce531","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/8159f6e24704f5e0e3b3217cf79ecf5083dce531"},{"reference_url":"https://github.com/apache/airflow/pull/40522","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-17T13:24:32Z/"}],"url":"https://github.com/apache/airflow/pull/40522"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-190.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-190.yaml"},{"reference_url":"https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-17T13:24:32Z/"}],"url":"https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/07/16/7","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2024/07/16/7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39877","reference_id":"CVE-2024-39877","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39877"},{"reference_url":"https://github.com/advisories/GHSA-g5hv-r743-v8pm","reference_id":"GHSA-g5hv-r743-v8pm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g5hv-r743-v8pm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32036?format=json","purl":"pkg:pypi/apache-airflow@2.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.3"}],"aliases":["BIT-airflow-2024-39877","CVE-2024-39877","GHSA-g5hv-r743-v8pm","PYSEC-2024-190"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a64u-53x6-dfge"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36699?format=json","vulnerability_id":"VCID-amac-hqnj-xfgz","summary":"Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of \"enable_xcom_pickling=False\" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-50943","reference_id":"","reference_type":"","scores":[{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.4411","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44049","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44085","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44102","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-50943"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/2c4c5bc604e9ab0cc1e98f7bee7d31d566579462","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/2c4c5bc604e9ab0cc1e98f7bee7d31d566579462"},{"reference_url":"https://github.com/apache/airflow/pull/36255","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T17:27:45Z/"}],"url":"https://github.com/apache/airflow/pull/36255"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-13.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-13.yaml"},{"reference_url":"https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T17:27:45Z/"}],"url":"https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/01/24/4","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T17:27:45Z/"}],"url":"http://www.openwall.com/lists/oss-security/2024/01/24/4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-50943","reference_id":"CVE-2023-50943","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-50943"},{"reference_url":"https://github.com/advisories/GHSA-c3c6-f2ww-xfr2","reference_id":"GHSA-c3c6-f2ww-xfr2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c3c6-f2ww-xfr2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32014?format=json","purl":"pkg:pypi/apache-airflow@2.8.1rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-4ga6-4111-dyc9"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-6vg9-hu9u-q7c3"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-835a-arqz-g7h7"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-amac-hqnj-xfgz"},{"vulnerability":"VCID-c5dx-r8gh-93fm"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-e5dn-tpzy-qqec"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-x9ns-34nt-gfer"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1rc1"},{"url":"http://public2.vulnerablecode.io/api/packages/32015?format=json","purl":"pkg:pypi/apache-airflow@2.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-6vg9-hu9u-q7c3"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-835a-arqz-g7h7"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-c5dx-r8gh-93fm"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-e5dn-tpzy-qqec"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-x9ns-34nt-gfer"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.1"}],"aliases":["BIT-airflow-2023-50943","CVE-2023-50943","GHSA-c3c6-f2ww-xfr2","PYSEC-2024-13"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-amac-hqnj-xfgz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47520?format=json","vulnerability_id":"VCID-c5dx-r8gh-93fm","summary":"Apache Airflow: Sensitive configuration for providers displayed when \"non-sensitive-only\" config used\nAirflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the \"configuration\" UI page when \"non-sensitive-only\" was set as \"webserver.expose_config\" configuration (The celery provider is the only community provider currently that has sensitive configurations). You should migrate to Airflow 2.9 or change your \"expose_config\" configuration to False as a workaround. This is similar, but different to  CVE-2023-46288 https://github.com/advisories/GHSA-9qqg-mh7c-chfq  which concerned API, not UI configuration page.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-31869","reference_id":"","reference_type":"","scores":[{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15401","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15317","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15451","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15442","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-31869"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/042c2acaed7c01933d37c2f8434640ce140a4b27","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/042c2acaed7c01933d37c2f8434640ce140a4b27"},{"reference_url":"https://github.com/apache/airflow/pull/38795","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-18T20:47:34Z/"}],"url":"https://github.com/apache/airflow/pull/38795"},{"reference_url":"https://lists.apache.org/thread/pz6vg7wcjk901rmsgt86h76g6kfcgtk3","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-18T20:47:34Z/"}],"url":"https://lists.apache.org/thread/pz6vg7wcjk901rmsgt86h76g6kfcgtk3"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/04/17/10","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-18T20:47:34Z/"}],"url":"http://www.openwall.com/lists/oss-security/2024/04/17/10"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-31869","reference_id":"CVE-2024-31869","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-31869"},{"reference_url":"https://github.com/advisories/GHSA-2522-mrjc-m688","reference_id":"GHSA-2522-mrjc-m688","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2522-mrjc-m688"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32029?format=json","purl":"pkg:pypi/apache-airflow@2.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-u6f1-4134-hug1"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-x9ns-34nt-gfer"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.0"}],"aliases":["CVE-2024-31869","GHSA-2522-mrjc-m688"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c5dx-r8gh-93fm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36591?format=json","vulnerability_id":"VCID-csqr-pdvv-gfbh","summary":"Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.4.0 to 2.7.0.\n\nSensitive configuration information has been exposed to authenticated users with the ability to read configuration via Airflow REST API for configuration even when the expose_config option is set to non-sensitive-only. The expose_config option is False by default. It is recommended to upgrade to a version that is not affected if you set expose_config to non-sensitive-only configuration. This is a different error than CVE-2023-45348 which allows authenticated user to retrieve individual configuration values in 2.7.* by specially crafting their request (solved in 2.7.2).\n\nUsers are recommended to upgrade to version 2.7.2, which fixes the issue and additionally fixes CVE-2023-45348.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-46288","reference_id":"","reference_type":"","scores":[{"value":"0.00482","scoring_system":"epss","scoring_elements":"0.65536","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00482","scoring_system":"epss","scoring_elements":"0.65548","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00482","scoring_system":"epss","scoring_elements":"0.65559","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-46288"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/4a525e85e31b26d413c986c86d181114bb37bd06","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/4a525e85e31b26d413c986c86d181114bb37bd06"},{"reference_url":"https://github.com/apache/airflow/pull/32261","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-11T14:28:49Z/"}],"url":"https://github.com/apache/airflow/pull/32261"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-218.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-218.yaml"},{"reference_url":"https://lists.apache.org/thread/yw4vzm0c5lqkwm0bxv6qy03yfd1od4nw","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-11T14:28:49Z/"}],"url":"https://lists.apache.org/thread/yw4vzm0c5lqkwm0bxv6qy03yfd1od4nw"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/04/17/10","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-11T14:28:49Z/"}],"url":"http://www.openwall.com/lists/oss-security/2024/04/17/10"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46288","reference_id":"CVE-2023-46288","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46288"},{"reference_url":"https://github.com/advisories/GHSA-9qqg-mh7c-chfq","reference_id":"GHSA-9qqg-mh7c-chfq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9qqg-mh7c-chfq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32005?format=json","purl":"pkg:pypi/apache-airflow@2.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-3h3z-bfsc-jqax"},{"vulnerability":"VCID-4ga6-4111-dyc9"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-6vg9-hu9u-q7c3"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-835a-arqz-g7h7"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-98yf-mvnw-d3b4"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-amac-hqnj-xfgz"},{"vulnerability":"VCID-c5dx-r8gh-93fm"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-fbjk-2uvy-mqfc"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-j86y-n37n-n7ft"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-t7xp-8ua7-d7ff"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-wb11-e3rz-e3cf"},{"vulnerability":"VCID-x9ns-34nt-gfer"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2"}],"aliases":["BIT-airflow-2023-46288","CVE-2023-46288","GHSA-9qqg-mh7c-chfq","PYSEC-2023-218"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-csqr-pdvv-gfbh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36389?format=json","vulnerability_id":"VCID-dh4r-77xc-cbas","summary":"Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider.\n\nThis issue affects Apache Airflow Sqoop Provider versions before 3.1.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-25693","reference_id":"","reference_type":"","scores":[{"value":"0.03621","scoring_system":"epss","scoring_elements":"0.8803","published_at":"2026-06-05T12:55:00Z"},{"value":"0.03621","scoring_system":"epss","scoring_elements":"0.88034","published_at":"2026-06-08T12:55:00Z"},{"value":"0.03621","scoring_system":"epss","scoring_elements":"0.88032","published_at":"2026-06-07T12:55:00Z"},{"value":"0.03621","scoring_system":"epss","scoring_elements":"0.88009","published_at":"2026-06-04T12:55:00Z"},{"value":"0.03621","scoring_system":"epss","scoring_elements":"0.88033","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-25693"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/pull/29500","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-13T14:26:37Z/"}],"url":"https://github.com/apache/airflow/pull/29500"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-314.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-314.yaml"},{"reference_url":"https://lists.apache.org/thread/79qn8g5xbq036f8crb115obvr22l52q4","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-13T14:26:37Z/"}],"url":"https://lists.apache.org/thread/79qn8g5xbq036f8crb115obvr22l52q4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25693","reference_id":"CVE-2023-25693","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25693"},{"reference_url":"https://github.com/advisories/GHSA-j69x-v4wc-3fpf","reference_id":"GHSA-j69x-v4wc-3fpf","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j69x-v4wc-3fpf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32098?format=json","purl":"pkg:pypi/apache-airflow@3.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2b14-1bp2-gua6"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-5hxx-r2d2-9ybk"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-9j1n-cypf-p7g5"},{"vulnerability":"VCID-9ru4-qyks-hybs"},{"vulnerability":"VCID-dhj9-usjr-nbfe"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-dzfs-e5ys-fbhz"},{"vulnerability":"VCID-e26f-ucw8-m7hf"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-etmw-7eq5-mqa2"},{"vulnerability":"VCID-ezmu-8g1y-e3hz"},{"vulnerability":"VCID-geg4-1kgh-akde"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-hkwf-65vr-dkfz"},{"vulnerability":"VCID-knrd-atwy-gubn"},{"vulnerability":"VCID-ps4f-qrfn-myb8"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-snqz-3f8t-syhd"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.1"}],"aliases":["CVE-2023-25693","GHSA-j69x-v4wc-3fpf","PYSEC-2023-314"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dh4r-77xc-cbas"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51391?format=json","vulnerability_id":"VCID-djdy-z9r3-s3a2","summary":"A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying `revoke_token()` call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user. Affects deployments configured with `FabAuthManager` or `KeycloakAuthManager` (the bug does not affect SimpleAuthManager). This is a residual gap in the fix for CVE-2025-57735, which addressed cookie-side invalidation in PR #57992 / PR #61339 but did not cover the provider-side `revoke_token()` reachability in the FAB / Keycloak code paths. Users who already upgraded for CVE-2025-57735 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the FAB / Keycloak logout paths.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-48726","reference_id":"","reference_type":"","scores":[{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.11914","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.11909","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13523","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.1361","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-48726"},{"reference_url":"https://github.com/apache/airflow/pull/67289","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-02T16:03:20Z/"}],"url":"https://github.com/apache/airflow/pull/67289"},{"reference_url":"https://lists.apache.org/thread/630jg4z6cjkv4m2yv2ljgmf1zhdj1vqx","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-02T16:03:20Z/"}],"url":"https://lists.apache.org/thread/630jg4z6cjkv4m2yv2ljgmf1zhdj1vqx"},{"reference_url":"https://www.cve.org/CVERecord?id=CVE-2025-57735","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-02T16:03:20Z/"}],"url":"https://www.cve.org/CVERecord?id=CVE-2025-57735"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75455?format=json","purl":"pkg:pypi/apache-airflow@3.2.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.2"}],"aliases":["BIT-airflow-2026-48726","CVE-2026-48726","PYSEC-2026-187"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-djdy-z9r3-s3a2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51334?format=json","vulnerability_id":"VCID-ej1r-mp6n-gudd","summary":"A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenticated UI/API user with Connection-read permission to retrieve secrets stored in a Connection's `extra` JSON blob under field names not present in the redaction allowlist (`DEFAULT_SENSITIVE_FIELDS`) — for example, official Slack-provider credential field names were returned in plaintext. Affects deployments that store credentials in Connection `extra` blobs and grant Connection-read access to multiple users. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deployment operators can store sensitive credential values in a secret-backend rather than inlined into the Connection's `extra` field.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45192","reference_id":"","reference_type":"","scores":[{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10737","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10762","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.12032","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.11958","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45192"},{"reference_url":"https://github.com/apache/airflow/pull/66673","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-01T12:52:50Z/"}],"url":"https://github.com/apache/airflow/pull/66673"},{"reference_url":"https://lists.apache.org/thread/r2q93dg2wp5h9sd9vh6y4y5ljqd9crdd","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-01T12:52:50Z/"}],"url":"https://lists.apache.org/thread/r2q93dg2wp5h9sd9vh6y4y5ljqd9crdd"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/06/01/3","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}],"url":"http://www.openwall.com/lists/oss-security/2026/06/01/3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75455?format=json","purl":"pkg:pypi/apache-airflow@3.2.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.2"}],"aliases":["BIT-airflow-2026-45192","CVE-2026-45192","PYSEC-2026-173"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ej1r-mp6n-gudd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36608?format=json","vulnerability_id":"VCID-fbjk-2uvy-mqfc","summary":"We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. \n\nApache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. \n\nUsers should upgrade to version 2.7.3 or later which has removed the vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-47037","reference_id":"","reference_type":"","scores":[{"value":"0.00084","scoring_system":"epss","scoring_elements":"0.24396","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00084","scoring_system":"epss","scoring_elements":"0.24338","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00084","scoring_system":"epss","scoring_elements":"0.24451","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00084","scoring_system":"epss","scoring_elements":"0.24468","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-47037"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad"},{"reference_url":"https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef"},{"reference_url":"https://github.com/apache/airflow/pull/33413","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:19:46Z/"}],"url":"https://github.com/apache/airflow/pull/33413"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-232.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-232.yaml"},{"reference_url":"https://lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:19:46Z/"}],"url":"https://lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/11/12/1","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:19:46Z/"}],"url":"http://www.openwall.com/lists/oss-security/2023/11/12/1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-47037","reference_id":"CVE-2023-47037","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-47037"},{"reference_url":"https://github.com/advisories/GHSA-hm9r-7f84-25c9","reference_id":"GHSA-hm9r-7f84-25c9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hm9r-7f84-25c9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32007?format=json","purl":"pkg:pypi/apache-airflow@2.7.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-3h3z-bfsc-jqax"},{"vulnerability":"VCID-4ga6-4111-dyc9"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-6vg9-hu9u-q7c3"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-835a-arqz-g7h7"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-amac-hqnj-xfgz"},{"vulnerability":"VCID-c5dx-r8gh-93fm"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-j86y-n37n-n7ft"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-t7xp-8ua7-d7ff"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-wb11-e3rz-e3cf"},{"vulnerability":"VCID-x9ns-34nt-gfer"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.3"}],"aliases":["BIT-airflow-2023-47037","CVE-2023-47037","GHSA-hm9r-7f84-25c9","PYSEC-2023-232"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fbjk-2uvy-mqfc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89935?format=json","vulnerability_id":"VCID-gxvn-spkx-9qea","summary":"Apache Airflow's asset dependency graph did not restrict nodes by the viewer's DAG read permissions\nThe asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40690","reference_id":"","reference_type":"","scores":[{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.24989","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.24864","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.24922","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.24977","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40690"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/cf3452d76e2ef5a8bae247f9fc90c759ff9df02f","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/cf3452d76e2ef5a8bae247f9fc90c759ff9df02f"},{"reference_url":"https://github.com/apache/airflow/pull/65273","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T14:54:08Z/"}],"url":"https://github.com/apache/airflow/pull/65273"},{"reference_url":"https://lists.apache.org/thread/bqt7y4g2cpj396b0sd20lv510ff19ndl","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T14:54:08Z/"}],"url":"https://lists.apache.org/thread/bqt7y4g2cpj396b0sd20lv510ff19ndl"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40690","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40690"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/04/24/4","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/04/24/4"},{"reference_url":"https://github.com/advisories/GHSA-w7rc-q6cm-f5gm","reference_id":"GHSA-w7rc-q6cm-f5gm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w7rc-q6cm-f5gm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75448?format=json","purl":"pkg:pypi/apache-airflow@3.2.1rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-2zj7-8yhg-8qen"},{"vulnerability":"VCID-4nax-1d7y-1kbh"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-9ru4-qyks-hybs"},{"vulnerability":"VCID-dhj9-usjr-nbfe"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-dzfs-e5ys-fbhz"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-frvt-ng4a-jqfh"},{"vulnerability":"VCID-pu6f-xhvm-q3du"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.1rc1"}],"aliases":["CVE-2026-40690","GHSA-w7rc-q6cm-f5gm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gxvn-spkx-9qea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36651?format=json","vulnerability_id":"VCID-j86y-n37n-n7ft","summary":"Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't.\n\nThis is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2 \n\nUsers of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-48291","reference_id":"","reference_type":"","scores":[{"value":"0.00091","scoring_system":"epss","scoring_elements":"0.25593","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00091","scoring_system":"epss","scoring_elements":"0.25652","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00091","scoring_system":"epss","scoring_elements":"0.25708","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00091","scoring_system":"epss","scoring_elements":"0.25699","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-48291"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/4f1b500c47813c54349b7d3e48df0a444fb4826c","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/4f1b500c47813c54349b7d3e48df0a444fb4826c"},{"reference_url":"https://github.com/apache/airflow/pull/34366","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/pull/34366"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-265.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-265.yaml"},{"reference_url":"https://lists.apache.org/thread/3nl0h014274yjlt1hd02z0q78ftyz0z3","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/3nl0h014274yjlt1hd02z0q78ftyz0z3"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/12/21/1","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2023/12/21/1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48291","reference_id":"CVE-2023-48291","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48291"},{"reference_url":"https://github.com/advisories/GHSA-8f57-wcmg-4jmh","reference_id":"GHSA-8f57-wcmg-4jmh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8f57-wcmg-4jmh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32013?format=json","purl":"pkg:pypi/apache-airflow@2.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-4ga6-4111-dyc9"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-6vg9-hu9u-q7c3"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-835a-arqz-g7h7"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-amac-hqnj-xfgz"},{"vulnerability":"VCID-c5dx-r8gh-93fm"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-e5dn-tpzy-qqec"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-x9ns-34nt-gfer"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0"}],"aliases":["BIT-airflow-2023-48291","CVE-2023-48291","GHSA-8f57-wcmg-4jmh","PYSEC-2023-265"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j86y-n37n-n7ft"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36856?format=json","vulnerability_id":"VCID-mcbu-b45m-k3ck","summary":"Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link.\nUsers should upgrade to 2.10.0 or later, which fixes this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41937","reference_id":"","reference_type":"","scores":[{"value":"0.01137","scoring_system":"epss","scoring_elements":"0.78752","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01137","scoring_system":"epss","scoring_elements":"0.7874","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01137","scoring_system":"epss","scoring_elements":"0.7875","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01137","scoring_system":"epss","scoring_elements":"0.7876","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41937"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/f1852c2ab28b155e196569780013fbb61a4a1f98","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/f1852c2ab28b155e196569780013fbb61a4a1f98"},{"reference_url":"https://github.com/apache/airflow/pull/40933","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-22T13:36:00Z/"}],"url":"https://github.com/apache/airflow/pull/40933"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-181.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-181.yaml"},{"reference_url":"https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-22T13:36:00Z/"}],"url":"https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/08/21/3","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2024/08/21/3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41937","reference_id":"CVE-2024-41937","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41937"},{"reference_url":"https://github.com/advisories/GHSA-w7cp-g8v7-r54m","reference_id":"GHSA-w7cp-g8v7-r54m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w7cp-g8v7-r54m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32040?format=json","purl":"pkg:pypi/apache-airflow@2.10.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-53rr-p2an-3bg9"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.0"}],"aliases":["BIT-airflow-2024-41937","CVE-2024-41937","GHSA-w7cp-g8v7-r54m","PYSEC-2024-181"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mcbu-b45m-k3ck"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36575?format=json","vulnerability_id":"VCID-njyy-ywer-x7bf","summary":"Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't.\n\nUsers of Apache Airflow are strongly advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-42792","reference_id":"","reference_type":"","scores":[{"value":"0.00582","scoring_system":"epss","scoring_elements":"0.69363","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00582","scoring_system":"epss","scoring_elements":"0.69349","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00582","scoring_system":"epss","scoring_elements":"0.69364","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00582","scoring_system":"epss","scoring_elements":"0.69373","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-42792"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/pull/34366","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-17T15:25:27Z/"}],"url":"https://github.com/apache/airflow/pull/34366"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-203.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-203.yaml"},{"reference_url":"https://lists.apache.org/thread/1spbo9nkn49fc2hnxqm9tf6mgqwp9tjq","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-17T15:25:27Z/"}],"url":"https://lists.apache.org/thread/1spbo9nkn49fc2hnxqm9tf6mgqwp9tjq"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/12/21/1","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-17T15:25:27Z/"}],"url":"http://www.openwall.com/lists/oss-security/2023/12/21/1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42792","reference_id":"CVE-2023-42792","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42792"},{"reference_url":"https://github.com/advisories/GHSA-j3w8-2p2h-mrr9","reference_id":"GHSA-j3w8-2p2h-mrr9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j3w8-2p2h-mrr9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32005?format=json","purl":"pkg:pypi/apache-airflow@2.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-3h3z-bfsc-jqax"},{"vulnerability":"VCID-4ga6-4111-dyc9"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-6vg9-hu9u-q7c3"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-835a-arqz-g7h7"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-98yf-mvnw-d3b4"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-amac-hqnj-xfgz"},{"vulnerability":"VCID-c5dx-r8gh-93fm"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-fbjk-2uvy-mqfc"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-j86y-n37n-n7ft"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-t7xp-8ua7-d7ff"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-wb11-e3rz-e3cf"},{"vulnerability":"VCID-x9ns-34nt-gfer"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2"}],"aliases":["BIT-airflow-2023-42792","CVE-2023-42792","GHSA-j3w8-2p2h-mrr9","PYSEC-2023-203"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-njyy-ywer-x7bf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51363?format=json","vulnerability_id":"VCID-pu6f-xhvm-q3du","summary":"A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. nested `password` / `token` / `secret` / `api_key` keys inside a JSON template structure) to be bypassed when the rendered field exceeded `[core] max_templated_field_length`: Airflow stringified the structure before redaction, losing the nested key context, and persisted the plaintext value into `rendered_fields`. An authenticated UI/API user with permission to read rendered template fields could harvest secret values intended to be masked. Affects deployments where Dag authors pass structured JSON to operators with nested sensitive keys. This is a variant of `CWE-200` previously addressed for the user-registered `mask_secret()` patterns in CVE-2025-68438; that fix did not cover the nested sensitive-keyword allowlist. Users who already upgraded for CVE-2025-68438 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the nested-key path.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42360","reference_id":"","reference_type":"","scores":[{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11423","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.1142","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12803","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12888","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42360"},{"reference_url":"https://github.com/apache/airflow/pull/65906","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-01T13:55:15Z/"}],"url":"https://github.com/apache/airflow/pull/65906"},{"reference_url":"https://lists.apache.org/thread/obj79bpxnl7r5olz1gsn0g94y88glnl4","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-01T13:55:15Z/"}],"url":"https://lists.apache.org/thread/obj79bpxnl7r5olz1gsn0g94y88glnl4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75455?format=json","purl":"pkg:pypi/apache-airflow@3.2.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.2"}],"aliases":["BIT-airflow-2026-42360","CVE-2026-42360","PYSEC-2026-172"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pu6f-xhvm-q3du"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36545?format=json","vulnerability_id":"VCID-pypb-cezm-rkb2","summary":"Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc.\n\nUsers should upgrade to version 2.7.1 or later which has removed the vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40611","reference_id":"","reference_type":"","scores":[{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31129","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31096","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00131","scoring_system":"epss","scoring_elements":"0.32151","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00131","scoring_system":"epss","scoring_elements":"0.3212","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40611"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad"},{"reference_url":"https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef"},{"reference_url":"https://github.com/apache/airflow/pull/33413","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-25T13:36:48Z/"}],"url":"https://github.com/apache/airflow/pull/33413"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-170.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-170.yaml"},{"reference_url":"https://lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-25T13:36:48Z/"}],"url":"https://lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/11/12/1","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-25T13:36:48Z/"}],"url":"http://www.openwall.com/lists/oss-security/2023/11/12/1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40611","reference_id":"CVE-2023-40611","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40611"},{"reference_url":"https://github.com/advisories/GHSA-wpg8-mf6h-gm92","reference_id":"GHSA-wpg8-mf6h-gm92","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wpg8-mf6h-gm92"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32003?format=json","purl":"pkg:pypi/apache-airflow@2.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1jx5-34px-ukbz"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-3h3z-bfsc-jqax"},{"vulnerability":"VCID-4ga6-4111-dyc9"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5cpd-kjpb-ekhv"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-6vg9-hu9u-q7c3"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-835a-arqz-g7h7"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-98yf-mvnw-d3b4"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-amac-hqnj-xfgz"},{"vulnerability":"VCID-c5dx-r8gh-93fm"},{"vulnerability":"VCID-csqr-pdvv-gfbh"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-fbjk-2uvy-mqfc"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-j86y-n37n-n7ft"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-njyy-ywer-x7bf"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-t476-g5u5-1yeh"},{"vulnerability":"VCID-t7xp-8ua7-d7ff"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-wb11-e3rz-e3cf"},{"vulnerability":"VCID-x9ns-34nt-gfer"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.1"}],"aliases":["BIT-airflow-2023-40611","CVE-2023-40611","GHSA-wpg8-mf6h-gm92","PYSEC-2023-170"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pypb-cezm-rkb2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50287?format=json","vulnerability_id":"VCID-qfsu-w1gc-6fcj","summary":"Apache Airflow error reporting may expose full kwargs\nWhen a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG.\n\nThe issue has been fixed in Airflow 3.1.5rc1 and 2.11.1, and users are strongly advised to upgrade to prevent potential disclosure of sensitive information.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-65995","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03562","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03583","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03591","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03577","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-65995"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/pull/58252","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-23T15:47:06Z/"}],"url":"https://github.com/apache/airflow/pull/58252"},{"reference_url":"https://github.com/apache/airflow/pull/61883","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-23T15:47:06Z/"}],"url":"https://github.com/apache/airflow/pull/61883"},{"reference_url":"https://lists.apache.org/thread/1qzlrjo2wmlzs0rrgzgslj2pzkor0dr2","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-23T15:47:06Z/"}],"url":"https://lists.apache.org/thread/1qzlrjo2wmlzs0rrgzgslj2pzkor0dr2"},{"reference_url":"http://www.openwall.com/lists/oss-security/2025/12/12/2","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2025/12/12/2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-65995","reference_id":"CVE-2025-65995","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-65995"},{"reference_url":"https://github.com/advisories/GHSA-gfw7-2v73-69wg","reference_id":"GHSA-gfw7-2v73-69wg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gfw7-2v73-69wg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32056?format=json","purl":"pkg:pypi/apache-airflow@2.11.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.11.1"},{"url":"http://public2.vulnerablecode.io/api/packages/47092?format=json","purl":"pkg:pypi/apache-airflow@3.1.5rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2b14-1bp2-gua6"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-5hxx-r2d2-9ybk"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-9j1n-cypf-p7g5"},{"vulnerability":"VCID-9ru4-qyks-hybs"},{"vulnerability":"VCID-dhj9-usjr-nbfe"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-dzfs-e5ys-fbhz"},{"vulnerability":"VCID-e26f-ucw8-m7hf"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-etmw-7eq5-mqa2"},{"vulnerability":"VCID-ezmu-8g1y-e3hz"},{"vulnerability":"VCID-geg4-1kgh-akde"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-hkwf-65vr-dkfz"},{"vulnerability":"VCID-knrd-atwy-gubn"},{"vulnerability":"VCID-ps4f-qrfn-myb8"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-snqz-3f8t-syhd"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.5rc1"}],"aliases":["CVE-2025-65995","GHSA-gfw7-2v73-69wg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qfsu-w1gc-6fcj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37186?format=json","vulnerability_id":"VCID-t3ap-dzfp-1bd6","summary":"In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed.\n\nUsers are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68675","reference_id":"","reference_type":"","scores":[{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10778","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10802","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00045","scoring_system":"epss","scoring_elements":"0.14094","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00045","scoring_system":"epss","scoring_elements":"0.1401","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68675"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/pull/59688","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-16T16:05:54Z/"}],"url":"https://github.com/apache/airflow/pull/59688"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-10.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-10.yaml"},{"reference_url":"https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-16T16:05:54Z/"}],"url":"https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/01/15/6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/01/15/6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68675","reference_id":"CVE-2025-68675","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68675"},{"reference_url":"https://github.com/advisories/GHSA-7c2f-r6gc-h92h","reference_id":"GHSA-7c2f-r6gc-h92h","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7c2f-r6gc-h92h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32056?format=json","purl":"pkg:pypi/apache-airflow@2.11.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.11.1"},{"url":"http://public2.vulnerablecode.io/api/packages/47095?format=json","purl":"pkg:pypi/apache-airflow@3.1.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2b14-1bp2-gua6"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-5hxx-r2d2-9ybk"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-9j1n-cypf-p7g5"},{"vulnerability":"VCID-9ru4-qyks-hybs"},{"vulnerability":"VCID-dhj9-usjr-nbfe"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-dzfs-e5ys-fbhz"},{"vulnerability":"VCID-e26f-ucw8-m7hf"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-etmw-7eq5-mqa2"},{"vulnerability":"VCID-geg4-1kgh-akde"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-hkwf-65vr-dkfz"},{"vulnerability":"VCID-knrd-atwy-gubn"},{"vulnerability":"VCID-ps4f-qrfn-myb8"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.6"}],"aliases":["BIT-airflow-2025-68675","CVE-2025-68675","GHSA-7c2f-r6gc-h92h","PYSEC-2026-10"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t3ap-dzfp-1bd6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36573?format=json","vulnerability_id":"VCID-t476-g5u5-1yeh","summary":"Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dag_ids and the stack-traces of import errors for those DAGs with import errors.\nUsers of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-42780","reference_id":"","reference_type":"","scores":[{"value":"0.0013","scoring_system":"epss","scoring_elements":"0.32021","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0013","scoring_system":"epss","scoring_elements":"0.31921","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0013","scoring_system":"epss","scoring_elements":"0.31952","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0013","scoring_system":"epss","scoring_elements":"0.3199","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-42780"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/cf4eb3fb9b5cf4a8369b890e39523d4c05eed161","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/cf4eb3fb9b5cf4a8369b890e39523d4c05eed161"},{"reference_url":"https://github.com/apache/airflow/pull/34355","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-17T15:30:52Z/"}],"url":"https://github.com/apache/airflow/pull/34355"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-202.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-202.yaml"},{"reference_url":"https://lists.apache.org/thread/h5tvsvov8j55wojt5sojdprs05oby34d","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-17T15:30:52Z/"}],"url":"https://lists.apache.org/thread/h5tvsvov8j55wojt5sojdprs05oby34d"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42780","reference_id":"CVE-2023-42780","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42780"},{"reference_url":"https://github.com/advisories/GHSA-cgx2-rrmr-jx43","reference_id":"GHSA-cgx2-rrmr-jx43","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cgx2-rrmr-jx43"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32005?format=json","purl":"pkg:pypi/apache-airflow@2.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-3h3z-bfsc-jqax"},{"vulnerability":"VCID-4ga6-4111-dyc9"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-6vg9-hu9u-q7c3"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-835a-arqz-g7h7"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-98yf-mvnw-d3b4"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-amac-hqnj-xfgz"},{"vulnerability":"VCID-c5dx-r8gh-93fm"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-fbjk-2uvy-mqfc"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-j86y-n37n-n7ft"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-t7xp-8ua7-d7ff"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-wb11-e3rz-e3cf"},{"vulnerability":"VCID-x9ns-34nt-gfer"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.2"}],"aliases":["BIT-airflow-2023-42780","CVE-2023-42780","GHSA-cgx2-rrmr-jx43","PYSEC-2023-202"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t476-g5u5-1yeh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36653?format=json","vulnerability_id":"VCID-t7xp-8ua7-d7ff","summary":"Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent.\nUsers are advised to upgrade to version 2.8.0 or later which is not affected","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49920","reference_id":"","reference_type":"","scores":[{"value":"0.00239","scoring_system":"epss","scoring_elements":"0.47197","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00239","scoring_system":"epss","scoring_elements":"0.47151","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00239","scoring_system":"epss","scoring_elements":"0.47181","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00239","scoring_system":"epss","scoring_elements":"0.472","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49920"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/f5d802791fa5f6b13b635f06a1ea2eccc22a9ba7","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/f5d802791fa5f6b13b635f06a1ea2eccc22a9ba7"},{"reference_url":"https://github.com/apache/airflow/pull/36026","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/pull/36026"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-266.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-266.yaml"},{"reference_url":"https://lists.apache.org/thread/mnwd2vcfw3gms6ft6kl951vfbqrxsnjq","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/mnwd2vcfw3gms6ft6kl951vfbqrxsnjq"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/12/21/3","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2023/12/21/3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49920","reference_id":"CVE-2023-49920","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49920"},{"reference_url":"https://github.com/advisories/GHSA-6m9r-7wrx-xmr6","reference_id":"GHSA-6m9r-7wrx-xmr6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6m9r-7wrx-xmr6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32008?format=json","purl":"pkg:pypi/apache-airflow@2.8.0b1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-3h3z-bfsc-jqax"},{"vulnerability":"VCID-4ga6-4111-dyc9"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-6vg9-hu9u-q7c3"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-835a-arqz-g7h7"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-amac-hqnj-xfgz"},{"vulnerability":"VCID-c5dx-r8gh-93fm"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-j86y-n37n-n7ft"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-t7xp-8ua7-d7ff"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-x9ns-34nt-gfer"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0b1"},{"url":"http://public2.vulnerablecode.io/api/packages/32013?format=json","purl":"pkg:pypi/apache-airflow@2.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-4ga6-4111-dyc9"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-6vg9-hu9u-q7c3"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-835a-arqz-g7h7"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-amac-hqnj-xfgz"},{"vulnerability":"VCID-c5dx-r8gh-93fm"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-e5dn-tpzy-qqec"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-x9ns-34nt-gfer"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0"}],"aliases":["BIT-airflow-2023-49920","CVE-2023-49920","GHSA-6m9r-7wrx-xmr6","PYSEC-2023-266"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t7xp-8ua7-d7ff"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37206?format=json","vulnerability_id":"VCID-tbb9-myv7-a7h4","summary":"Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. \n\nUsers are advised to upgrade to 3.1.7 or later, which resolves this issue","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24098","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02591","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02658","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02661","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02607","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24098"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/pull/60801","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:28:52Z/"}],"url":"https://github.com/apache/airflow/pull/60801"},{"reference_url":"https://lists.apache.org/thread/nx96435v77xdst7ls5lk57kqvqyj095x","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:28:52Z/"}],"url":"https://lists.apache.org/thread/nx96435v77xdst7ls5lk57kqvqyj095x"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/02/09/3","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/02/09/3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24098","reference_id":"CVE-2026-24098","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24098"},{"reference_url":"https://github.com/advisories/GHSA-5g2w-9f8g-g5q7","reference_id":"GHSA-5g2w-9f8g-g5q7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5g2w-9f8g-g5q7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47539?format=json","purl":"pkg:pypi/apache-airflow@3.1.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2b14-1bp2-gua6"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-9j1n-cypf-p7g5"},{"vulnerability":"VCID-9ru4-qyks-hybs"},{"vulnerability":"VCID-dhj9-usjr-nbfe"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-dzfs-e5ys-fbhz"},{"vulnerability":"VCID-e26f-ucw8-m7hf"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-etmw-7eq5-mqa2"},{"vulnerability":"VCID-geg4-1kgh-akde"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-hkwf-65vr-dkfz"},{"vulnerability":"VCID-knrd-atwy-gubn"},{"vulnerability":"VCID-ps4f-qrfn-myb8"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.7"}],"aliases":["BIT-airflow-2026-24098","CVE-2026-24098","GHSA-5g2w-9f8g-g5q7","PYSEC-2026-12"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tbb9-myv7-a7h4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36933?format=json","vulnerability_id":"VCID-u5wv-47m4-8yd6","summary":"Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45784","reference_id":"","reference_type":"","scores":[{"value":"0.01059","scoring_system":"epss","scoring_elements":"0.77989","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01059","scoring_system":"epss","scoring_elements":"0.78","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01059","scoring_system":"epss","scoring_elements":"0.7801","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01059","scoring_system":"epss","scoring_elements":"0.78004","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45784"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/pull/43040","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-15T19:41:31Z/"}],"url":"https://github.com/apache/airflow/pull/43040"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-182.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-182.yaml"},{"reference_url":"https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-15T19:41:31Z/"}],"url":"https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/11/15/1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2024/11/15/1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45784","reference_id":"CVE-2024-45784","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45784"},{"reference_url":"https://github.com/advisories/GHSA-46c3-5xc5-wwhv","reference_id":"GHSA-46c3-5xc5-wwhv","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-46c3-5xc5-wwhv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32047?format=json","purl":"pkg:pypi/apache-airflow@2.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.3"}],"aliases":["BIT-airflow-2024-45784","CVE-2024-45784","GHSA-46c3-5xc5-wwhv","PYSEC-2024-182"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u5wv-47m4-8yd6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56153?format=json","vulnerability_id":"VCID-v7y9-5tsg-wyhe","summary":"Apache Airflow vulnerable to Insertion of Sensitive Information Into Sent Data\nAirflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.10.3 or a later version, which addresses this issue. Users who previously used the CLI to set secret variables should manually delete entries with those variables from the log table.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-50378","reference_id":"","reference_type":"","scores":[{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52472","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.525","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52519","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52511","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-50378"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/pull/43123","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-08T17:21:41Z/"}],"url":"https://github.com/apache/airflow/pull/43123"},{"reference_url":"https://lists.apache.org/thread/17rxys384lzfd6nhm3fztzgvk47zy7jb","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-08T17:21:41Z/"}],"url":"https://lists.apache.org/thread/17rxys384lzfd6nhm3fztzgvk47zy7jb"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/11/08/5","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2024/11/08/5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50378","reference_id":"CVE-2024-50378","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50378"},{"reference_url":"https://github.com/advisories/GHSA-j857-2pwm-jjmm","reference_id":"GHSA-j857-2pwm-jjmm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-j857-2pwm-jjmm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32047?format=json","purl":"pkg:pypi/apache-airflow@2.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.3"}],"aliases":["CVE-2024-50378","GHSA-j857-2pwm-jjmm"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v7y9-5tsg-wyhe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37287?format=json","vulnerability_id":"VCID-w56f-fmkf-dkfv","summary":"Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enough, even though Airflow's intentions and security model of Airflow did not suggest different assumptions. The overall security model [1], workload isolation [2], and JWT authentication details [3] are now described in more detail. Users concerned with role isolation and following the Airflow security model of Airflow are advised to upgrade to Airflow 3.2, where several security improvements have been implemented. They should also read and follow the relevant documents to make sure that their deployment is secure enough. It also clarifies that the Deployment Manager is ultimately responsible for securing your Airflow deployment. This had also been communicated via Airflow 3.2.0 Blog announcement [4].\n\n[1] Security Model:  https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html \n[2] Workload isolation:  https://airflow.apache.org/docs/apache-airflow/stable/security/workload.html \n[3] JWT Token authentication:  https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html \n[4] Airflow 3.2.0 Blog announcement:  https://airflow.apache.org/blog/airflow-3.2.0/ \n\n\n\nUsers are recommended to upgrade to version 3.2.0, which fixes this issue.","references":[{"reference_url":"https://airflow.apache.org/blog/airflow-3.2.0","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://airflow.apache.org/blog/airflow-3.2.0"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66236","reference_id":"","reference_type":"","scores":[{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.2629","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26348","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00119","scoring_system":"epss","scoring_elements":"0.30444","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00119","scoring_system":"epss","scoring_elements":"0.30411","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66236"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/pull/58662","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T19:20:26Z/"}],"url":"https://github.com/apache/airflow/pull/58662"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-8.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-8.yaml"},{"reference_url":"https://lists.apache.org/thread/g8fyy1tkmxkkfk7tx2v6h8mvwzpyykbo","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T19:20:26Z/"}],"url":"https://lists.apache.org/thread/g8fyy1tkmxkkfk7tx2v6h8mvwzpyykbo"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66236","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66236"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/04/13/6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/04/13/6"},{"reference_url":"https://github.com/advisories/GHSA-j86x-fwp2-qh7v","reference_id":"GHSA-j86x-fwp2-qh7v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j86x-fwp2-qh7v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49522?format=json","purl":"pkg:pypi/apache-airflow@3.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2zj7-8yhg-8qen"},{"vulnerability":"VCID-4nax-1d7y-1kbh"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-9ru4-qyks-hybs"},{"vulnerability":"VCID-dhj9-usjr-nbfe"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-dzfs-e5ys-fbhz"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-frvt-ng4a-jqfh"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-pu6f-xhvm-q3du"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0"}],"aliases":["BIT-airflow-2025-66236","CVE-2025-66236","GHSA-j86x-fwp2-qh7v","PYSEC-2026-8"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w56f-fmkf-dkfv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/88973?format=json","vulnerability_id":"VCID-w5aw-fb9r-uydg","summary":"Apache Airflow: RCE by race condition in example_xcom dag\nThe example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value\nfrom xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary\nexecution of code on the worker. Since the UI users are already highly trusted, this is a Low severity vulnerability.\n\nIt does not affect Airflow release - example_dags are not supposed to be enabled in production environment, however\nusers following the example could replicate the bad pattern. Documentation of Airflow 3.2.0 contains version of\nthe example with improved resiliance for that case.\n\nUsers who followed that pattern are advised to adjust their implementations accordingly.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-54550","reference_id":"","reference_type":"","scores":[{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.22485","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.22372","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.22423","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.22472","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-54550"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/pull/63200","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T11:56:37Z/"}],"url":"https://github.com/apache/airflow/pull/63200"},{"reference_url":"https://lists.apache.org/thread/3mf4cfx070ofsnf9qy0s2v5gqb5sc2g1","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T11:56:37Z/"}],"url":"https://lists.apache.org/thread/3mf4cfx070ofsnf9qy0s2v5gqb5sc2g1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54550","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54550"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/04/15/1","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/04/15/1"},{"reference_url":"https://github.com/advisories/GHSA-q2hg-643c-gw8h","reference_id":"GHSA-q2hg-643c-gw8h","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q2hg-643c-gw8h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49522?format=json","purl":"pkg:pypi/apache-airflow@3.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2zj7-8yhg-8qen"},{"vulnerability":"VCID-4nax-1d7y-1kbh"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-9ru4-qyks-hybs"},{"vulnerability":"VCID-dhj9-usjr-nbfe"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-dzfs-e5ys-fbhz"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-frvt-ng4a-jqfh"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-pu6f-xhvm-q3du"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0"}],"aliases":["CVE-2025-54550","GHSA-q2hg-643c-gw8h"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w5aw-fb9r-uydg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36652?format=json","vulnerability_id":"VCID-wb11-e3rz-e3cf","summary":"Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author to add an unbounded and not-sanitized javascript in the parameter description field of the DAG. This Javascript can be executed on the client side of any of the user who looks at the tasks in the browser sandbox. While this issue does not allow to exit the browser sandbox or manipulation of the server-side data - more than the DAG author already has, it allows to modify what the user looking at the DAG details sees in the browser - which opens up all kinds of possibilities of misleading other users.\n\nUsers of Apache Airflow are recommended to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-47265","reference_id":"","reference_type":"","scores":[{"value":"0.00192","scoring_system":"epss","scoring_elements":"0.40986","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00192","scoring_system":"epss","scoring_elements":"0.41017","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00192","scoring_system":"epss","scoring_elements":"0.41044","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00192","scoring_system":"epss","scoring_elements":"0.41048","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-47265"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/0b995602e6e5894ee31625a4dd0e6aa255d2a651","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/0b995602e6e5894ee31625a4dd0e6aa255d2a651"},{"reference_url":"https://github.com/apache/airflow/pull/35460","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/pull/35460"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-264.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-264.yaml"},{"reference_url":"https://lists.apache.org/thread/128f3zl375vb1qv93k82zhnwkpl233pr","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/128f3zl375vb1qv93k82zhnwkpl233pr"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/12/21/2","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2023/12/21/2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-47265","reference_id":"CVE-2023-47265","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-47265"},{"reference_url":"https://github.com/advisories/GHSA-pxch-wr7m-rwxj","reference_id":"GHSA-pxch-wr7m-rwxj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pxch-wr7m-rwxj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32008?format=json","purl":"pkg:pypi/apache-airflow@2.8.0b1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-3h3z-bfsc-jqax"},{"vulnerability":"VCID-4ga6-4111-dyc9"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-6vg9-hu9u-q7c3"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-835a-arqz-g7h7"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-amac-hqnj-xfgz"},{"vulnerability":"VCID-c5dx-r8gh-93fm"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-j86y-n37n-n7ft"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-t7xp-8ua7-d7ff"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-x9ns-34nt-gfer"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.8.0b1"}],"aliases":["BIT-airflow-2023-47265","CVE-2023-47265","GHSA-pxch-wr7m-rwxj","PYSEC-2023-264"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wb11-e3rz-e3cf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36817?format=json","vulnerability_id":"VCID-x9ns-34nt-gfer","summary":"Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. \n\nAirflow did not return \"Cache-Control\" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser.\n\nThis issue affects Apache Airflow: before 2.9.2.\n\nUsers are recommended to upgrade to version 2.9.2, which fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-25142","reference_id":"","reference_type":"","scores":[{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.27668","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.27533","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.27582","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.27618","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-25142"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/94eb647de692a4d9555b02dce85974da5d4c04e3","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/94eb647de692a4d9555b02dce85974da5d4c04e3"},{"reference_url":"https://github.com/apache/airflow/pull/39550","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-14T18:05:59Z/"}],"url":"https://github.com/apache/airflow/pull/39550"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-195.yaml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-195.yaml"},{"reference_url":"https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-14T18:05:59Z/"}],"url":"https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/06/13/1","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2024/06/13/1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-25142","reference_id":"CVE-2024-25142","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-25142"},{"reference_url":"https://github.com/advisories/GHSA-9xpj-62mm-24h2","reference_id":"GHSA-9xpj-62mm-24h2","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9xpj-62mm-24h2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32034?format=json","purl":"pkg:pypi/apache-airflow@2.9.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.2"}],"aliases":["BIT-airflow-2024-25142","CVE-2024-25142","GHSA-9xpj-62mm-24h2","PYSEC-2024-195"],"risk_score":2.5,"exploitability":"0.5","weighted_severity":"5.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x9ns-34nt-gfer"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36835?format=json","vulnerability_id":"VCID-ydhm-m8vh-mber","summary":"Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39863","reference_id":"","reference_type":"","scores":[{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.63112","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.63097","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.6311","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.63121","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39863"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/f18f48492dc69f392e45567580b6ddb0c070ea58","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/f18f48492dc69f392e45567580b6ddb0c070ea58"},{"reference_url":"https://github.com/apache/airflow/pull/40475","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-29T19:39:48Z/"}],"url":"https://github.com/apache/airflow/pull/40475"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-189.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-189.yaml"},{"reference_url":"https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-29T19:39:48Z/"}],"url":"https://lists.apache.org/thread/gxkvs279f1mbvckv5q65worr6how20o3"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/07/16/6","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2024/07/16/6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39863","reference_id":"CVE-2024-39863","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39863"},{"reference_url":"https://github.com/advisories/GHSA-j482-47xf-p25c","reference_id":"GHSA-j482-47xf-p25c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j482-47xf-p25c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32036?format=json","purl":"pkg:pypi/apache-airflow@2.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.9.3"}],"aliases":["BIT-airflow-2024-39863","CVE-2024-39863","GHSA-j482-47xf-p25c","PYSEC-2024-189"],"risk_score":3.6,"exploitability":"0.5","weighted_severity":"7.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ydhm-m8vh-mber"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36526?format=json","vulnerability_id":"VCID-cahz-4dy7-bbe9","summary":"The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for database session backend), or changing the secure_key and restarting the webserver, there were no mechanisms to force-logout the user (and all other users with that).\n\nWith this fix implemented, when using the database session backend, the existing sessions of the user are invalidated when the password of the user is reset. When using the securecookie session backend, the sessions are NOT invalidated and still require changing the secure key and restarting the webserver (and logging out all other users), but the user resetting the password is informed about it with a flash message warning displayed in the UI. Documentation is also updated explaining this behaviour.\n\nUsers of Apache Airflow are advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40273","reference_id":"","reference_type":"","scores":[{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.51228","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.51182","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.51212","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.51233","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40273"},{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/commit/2caa186935151683076b74357daad83d2538a3f6","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/2caa186935151683076b74357daad83d2538a3f6"},{"reference_url":"https://github.com/apache/airflow/commit/f5d8201ea7935d17cecaf25fc90d4ef0ccdd627b","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/airflow/commit/f5d8201ea7935d17cecaf25fc90d4ef0ccdd627b"},{"reference_url":"https://github.com/apache/airflow/pull/33347","reference_id":"","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-27T20:28:46Z/"}],"url":"https://github.com/apache/airflow/pull/33347"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-158.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-158.yaml"},{"reference_url":"https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj","reference_id":"","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-27T20:28:46Z/"}],"url":"https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj"},{"reference_url":"https://www.openwall.com/lists/oss-security/2023/08/23/1","reference_id":"","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-27T20:28:46Z/"}],"url":"https://www.openwall.com/lists/oss-security/2023/08/23/1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40273","reference_id":"CVE-2023-40273","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40273"},{"reference_url":"https://github.com/advisories/GHSA-pm87-24wq-r8w9","reference_id":"GHSA-pm87-24wq-r8w9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pm87-24wq-r8w9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/31999?format=json","purl":"pkg:pypi/apache-airflow@2.7.0rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-3h3z-bfsc-jqax"},{"vulnerability":"VCID-4dm5-fm66-xyea"},{"vulnerability":"VCID-4ga6-4111-dyc9"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5cpd-kjpb-ekhv"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-5zmy-2ape-7qfa"},{"vulnerability":"VCID-6vg9-hu9u-q7c3"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-835a-arqz-g7h7"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-98yf-mvnw-d3b4"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-amac-hqnj-xfgz"},{"vulnerability":"VCID-cahz-4dy7-bbe9"},{"vulnerability":"VCID-csqr-pdvv-gfbh"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-fbjk-2uvy-mqfc"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-j86y-n37n-n7ft"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-me8m-415b-g3fx"},{"vulnerability":"VCID-njyy-ywer-x7bf"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-pypb-cezm-rkb2"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-ryct-uaw3-fyfc"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-t476-g5u5-1yeh"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-wb11-e3rz-e3cf"},{"vulnerability":"VCID-x9ns-34nt-gfer"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.0rc2"},{"url":"http://public2.vulnerablecode.io/api/packages/32001?format=json","purl":"pkg:pypi/apache-airflow@2.7.1rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1fj3-3bdw-nbch"},{"vulnerability":"VCID-1jx5-34px-ukbz"},{"vulnerability":"VCID-1w96-f72k-ryap"},{"vulnerability":"VCID-29g4-vwe3-2kh2"},{"vulnerability":"VCID-2ajq-ewgt-b7c5"},{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-3h3z-bfsc-jqax"},{"vulnerability":"VCID-4ga6-4111-dyc9"},{"vulnerability":"VCID-56eq-awhd-d3fr"},{"vulnerability":"VCID-5cpd-kjpb-ekhv"},{"vulnerability":"VCID-5jyk-dgtu-zfhd"},{"vulnerability":"VCID-5zmy-2ape-7qfa"},{"vulnerability":"VCID-6vg9-hu9u-q7c3"},{"vulnerability":"VCID-7a12-nqbv-7fe1"},{"vulnerability":"VCID-835a-arqz-g7h7"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-98yf-mvnw-d3b4"},{"vulnerability":"VCID-a64u-53x6-dfge"},{"vulnerability":"VCID-amac-hqnj-xfgz"},{"vulnerability":"VCID-c5dx-r8gh-93fm"},{"vulnerability":"VCID-csqr-pdvv-gfbh"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-djdy-z9r3-s3a2"},{"vulnerability":"VCID-ej1r-mp6n-gudd"},{"vulnerability":"VCID-fbjk-2uvy-mqfc"},{"vulnerability":"VCID-gxvn-spkx-9qea"},{"vulnerability":"VCID-j86y-n37n-n7ft"},{"vulnerability":"VCID-mcbu-b45m-k3ck"},{"vulnerability":"VCID-njyy-ywer-x7bf"},{"vulnerability":"VCID-pu6f-xhvm-q3du"},{"vulnerability":"VCID-pypb-cezm-rkb2"},{"vulnerability":"VCID-qfsu-w1gc-6fcj"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"},{"vulnerability":"VCID-t476-g5u5-1yeh"},{"vulnerability":"VCID-t7xp-8ua7-d7ff"},{"vulnerability":"VCID-tbb9-myv7-a7h4"},{"vulnerability":"VCID-u5wv-47m4-8yd6"},{"vulnerability":"VCID-v7y9-5tsg-wyhe"},{"vulnerability":"VCID-w56f-fmkf-dkfv"},{"vulnerability":"VCID-w5aw-fb9r-uydg"},{"vulnerability":"VCID-wb11-e3rz-e3cf"},{"vulnerability":"VCID-x9ns-34nt-gfer"},{"vulnerability":"VCID-ydhm-m8vh-mber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.1rc1"}],"aliases":["BIT-airflow-2023-40273","CVE-2023-40273","GHSA-pm87-24wq-r8w9","PYSEC-2023-158"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cahz-4dy7-bbe9"}],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.7.1rc1"}