Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-q4rb-1yt3-rqdk
Vulnerability ID VCID-q4rb-1yt3-rqdk
Aliases CVE-2023-35005
GHSA-mjff-wv85-hmcj
PYSEC-2023-89
Summary In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations. This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if `[webserver] expose_config` is set to `non-sensitive-only`), and not all uncensored values are actually sentitive. This issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
There are no known severity scores.
Reference id Reference type URL
https://github.com/apache/airflow
https://github.com/apache/airflow/commit/5679a01919ac9d5153e858f8b1390cbc7915f148
https://github.com/apache/airflow/commit/f6cda8fb63250fc4700658999739c1c3c5f6625c
https://github.com/apache/airflow/pull/31788
https://github.com/apache/airflow/pull/31820
https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-89.yaml
https://lists.apache.org/thread/o4f2cxh0054m9tlxpb81c1yhylor5gjd
CVE-2023-35005 https://nvd.nist.gov/vuln/detail/CVE-2023-35005
GHSA-mjff-wv85-hmcj https://github.com/advisories/GHSA-mjff-wv85-hmcj
No exploits are available.
There are no known vectors.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-02T04:18:55.673795+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2023-89.yaml 38.6.0