Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-98yf-mvnw-d3b4
Vulnerability ID VCID-98yf-mvnw-d3b4
Aliases CVE-2023-42781
GHSA-r7x6-xfcm-3mxv
PYSEC-2023-231
Summary Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs.  This is a different issue than CVE-2023-42663 but leading to similar outcome. Users of Apache Airflow are advised to upgrade to version 2.7.3 or newer to mitigate the risk associated with this vulnerability.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
There are no known severity scores.
Reference id Reference type URL
https://github.com/apache/airflow
https://github.com/apache/airflow/commit/33ec72948f74f56f2adb5e2d388e60e88e8a3fa3
https://github.com/apache/airflow/pull/34939
https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-231.yaml
https://lists.apache.org/thread/7dnl8nszdxqyns57f3dw0sloy5dfl9o1
CVE-2023-42781 https://nvd.nist.gov/vuln/detail/CVE-2023-42781
GHSA-r7x6-xfcm-3mxv https://github.com/advisories/GHSA-r7x6-xfcm-3mxv
No exploits are available.
There are no known vectors.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-02T04:20:07.539082+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2023-231.yaml 38.6.0