Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-e5dn-tpzy-qqec
Vulnerability ID VCID-e5dn-tpzy-qqec
Aliases CVE-2024-28746
GHSA-h574-6646-vfxx
PYSEC-2024-46
Summary Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access.  Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-281 Improper Preservation of Permissions
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
There are no known severity scores.
Reference id Reference type URL
https://github.com/apache/airflow
https://github.com/apache/airflow/commit/89e7f3e7bdf2126bbbcd959dc10d65ef92773cca
https://github.com/apache/airflow/pull/37881
https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-46.yaml
https://lists.apache.org/thread/b4pffc7w7do6qgk4jjbyxvdz5odrvny7
CVE-2024-28746 https://nvd.nist.gov/vuln/detail/CVE-2024-28746
GHSA-h574-6646-vfxx https://github.com/advisories/GHSA-h574-6646-vfxx
No exploits are available.
There are no known vectors.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-02T04:21:06.380001+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2024-46.yaml 38.6.0