Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ctd9-hxfn-8fcs
Vulnerability ID VCID-ctd9-hxfn-8fcs
Aliases BIT-airflow-2022-41672
CVE-2022-41672
GHSA-3q8r-f3pj-3gc4
PYSEC-2022-42983
Summary In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-285 Improper Authorization
CWE-613 Insufficient Session Expiration
System Score Found at
epss 0.00339 https://api.first.org/data/v1/epss?cve=CVE-2022-41672
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-3q8r-f3pj-3gc4
cvssv3.1 8.1 https://github.com/apache/airflow
cvssv4 8.6 https://github.com/apache/airflow
generic_textual HIGH https://github.com/apache/airflow
cvssv3.1 8.1 https://github.com/apache/airflow/commit/12bfb571a895a28a58d3189b0fc10cfc1b89e24c
cvssv4 8.6 https://github.com/apache/airflow/commit/12bfb571a895a28a58d3189b0fc10cfc1b89e24c
generic_textual HIGH https://github.com/apache/airflow/commit/12bfb571a895a28a58d3189b0fc10cfc1b89e24c
cvssv3.1 8.1 https://github.com/apache/airflow/pull/26635
cvssv4 8.6 https://github.com/apache/airflow/pull/26635
generic_textual HIGH https://github.com/apache/airflow/pull/26635
cvssv3.1 8.1 https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-42983.yaml
cvssv4 8.6 https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-42983.yaml
generic_textual HIGH https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-42983.yaml
cvssv3.1 8.1 https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y
cvssv4 8.6 https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y
generic_textual HIGH https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y
cvssv3.1 8.1 https://nvd.nist.gov/vuln/detail/CVE-2022-41672
cvssv4 8.6 https://nvd.nist.gov/vuln/detail/CVE-2022-41672
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2022-41672
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-41672
https://github.com/apache/airflow
https://github.com/apache/airflow/commit/12bfb571a895a28a58d3189b0fc10cfc1b89e24c
https://github.com/apache/airflow/pull/26635
https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-42983.yaml
https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y
CVE-2022-41672 https://nvd.nist.gov/vuln/detail/CVE-2022-41672
GHSA-3q8r-f3pj-3gc4 https://github.com/advisories/GHSA-3q8r-f3pj-3gc4
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/apache/airflow
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/apache/airflow
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/apache/airflow/commit/12bfb571a895a28a58d3189b0fc10cfc1b89e24c
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/apache/airflow/commit/12bfb571a895a28a58d3189b0fc10cfc1b89e24c
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/apache/airflow/pull/26635
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/apache/airflow/pull/26635
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-42983.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-42983.yaml
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-41672
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-41672
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.56923
EPSS Score 0.00339
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T20:30:52.538478+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2022-42983.yaml 38.6.0