Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-5zmy-2ape-7qfa
Vulnerability ID VCID-5zmy-2ape-7qfa
Aliases CVE-2023-40712
GHSA-mjqh-v5f2-g2mw
PYSEC-2023-171
Summary Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI. Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
There are no known severity scores.
Reference id Reference type URL
https://github.com/apache/airflow
https://github.com/apache/airflow/commit/4390524a41fdfd2d57f1d2dc98ad7b4009c8399e
https://github.com/apache/airflow/commit/d9814eb3a2fc1dbbb885a0a2c1b7a23ce1cfa148
https://github.com/apache/airflow/pull/33512
https://github.com/apache/airflow/pull/33516
https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-171.yaml
https://lists.apache.org/thread/jw1yv4lt6hpowqbb0x4o3tdp0jhx2bts
CVE-2023-40712 https://nvd.nist.gov/vuln/detail/CVE-2023-40712
GHSA-mjqh-v5f2-g2mw https://github.com/advisories/GHSA-mjqh-v5f2-g2mw
No exploits are available.
There are no known vectors.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-02T04:19:32.818195+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2023-171.yaml 38.6.0