Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-pypb-cezm-rkb2
Vulnerability ID VCID-pypb-cezm-rkb2
Aliases CVE-2023-40611
GHSA-wpg8-mf6h-gm92
PYSEC-2023-170
Summary Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.1 or later which has removed the vulnerability.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-863 Incorrect Authorization
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
There are no known severity scores.
Reference id Reference type URL
https://github.com/apache/airflow
https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad
https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef
https://github.com/apache/airflow/pull/33413
https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-170.yaml
https://lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0
CVE-2023-40611 https://nvd.nist.gov/vuln/detail/CVE-2023-40611
GHSA-wpg8-mf6h-gm92 https://github.com/advisories/GHSA-wpg8-mf6h-gm92
No exploits are available.
There are no known vectors.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-02T04:19:33.510867+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2023-170.yaml 38.6.0