Search for packages
| purl | pkg:pypi/apache-airflow@0 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4u8d-ezsr-sqcz
Aliases: BIT-airflow-2023-50943 CVE-2023-50943 GHSA-c3c6-f2ww-xfr2 PYSEC-2024-13 |
Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue. |
Affected by 15 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-82p8-yujf-hkdd
Aliases: BIT-airflow-2023-50944 CVE-2023-50944 GHSA-vm5m-qmrx-fw8w PYSEC-2024-14 |
Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue. |
Affected by 15 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-8npr-rvfd-jkfj
Aliases: BIT-airflow-2023-40611 CVE-2023-40611 GHSA-wpg8-mf6h-gm92 PYSEC-2023-170 |
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.1 or later which has removed the vulnerability. |
Affected by 24 other vulnerabilities. |
|
VCID-gbgf-jfzt-tqg1
Aliases: BIT-airflow-2021-45229 CVE-2021-45229 GHSA-65xw-pcqw-hjrh PYSEC-2022-29 |
It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below. |
Affected by 43 other vulnerabilities. |
|
VCID-hgq2-kuex-y3a3
Aliases: BIT-airflow-2023-42663 CVE-2023-42663 GHSA-32wr-qqw6-5mfp PYSEC-2023-197 |
Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability. |
Affected by 20 other vulnerabilities. |
|
VCID-s49h-br5r-5yh8
Aliases: BIT-airflow-2023-40712 CVE-2023-40712 GHSA-mjqh-v5f2-g2mw PYSEC-2023-171 |
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI. Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability. |
Affected by 24 other vulnerabilities. |
|
VCID-syqv-6kj7-j3e5
Aliases: BIT-airflow-2020-11978 CVE-2020-11978 GHSA-rvmq-4x66-q7j3 PYSEC-2020-14 |
An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable. |
Affected by 59 other vulnerabilities. |
|
VCID-yz8w-uv1z-5ybw
Aliases: BIT-airflow-2020-11981 CVE-2020-11981 GHSA-976r-qfjj-c24w PYSEC-2020-15 |
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands. |
Affected by 59 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-05-31T21:37:11.791561+00:00 | GHSA Importer | Affected by | VCID-hgq2-kuex-y3a3 | https://github.com/advisories/GHSA-32wr-qqw6-5mfp | 38.6.0 |
| 2026-05-31T21:36:48.562043+00:00 | GHSA Importer | Affected by | VCID-s49h-br5r-5yh8 | https://github.com/advisories/GHSA-mjqh-v5f2-g2mw | 38.6.0 |
| 2026-05-31T21:36:48.524204+00:00 | GHSA Importer | Affected by | VCID-8npr-rvfd-jkfj | https://github.com/advisories/GHSA-wpg8-mf6h-gm92 | 38.6.0 |
| 2026-05-31T01:01:52.944083+00:00 | GHSA Importer | Affected by | VCID-4u8d-ezsr-sqcz | https://github.com/advisories/GHSA-c3c6-f2ww-xfr2 | 38.6.0 |
| 2026-05-31T01:01:52.868050+00:00 | GHSA Importer | Affected by | VCID-82p8-yujf-hkdd | https://github.com/advisories/GHSA-vm5m-qmrx-fw8w | 38.6.0 |
| 2026-05-31T00:55:23.790596+00:00 | GHSA Importer | Affected by | VCID-gbgf-jfzt-tqg1 | https://github.com/advisories/GHSA-65xw-pcqw-hjrh | 38.6.0 |
| 2026-05-31T00:52:58.372523+00:00 | GHSA Importer | Affected by | VCID-syqv-6kj7-j3e5 | https://github.com/advisories/GHSA-rvmq-4x66-q7j3 | 38.6.0 |
| 2026-05-31T00:52:58.313231+00:00 | GHSA Importer | Affected by | VCID-yz8w-uv1z-5ybw | https://github.com/advisories/GHSA-976r-qfjj-c24w | 38.6.0 |