Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-z5b8-kcbh-m7hr
Vulnerability ID VCID-z5b8-kcbh-m7hr
Aliases CVE-2023-46288
GHSA-9qqg-mh7c-chfq
PYSEC-2023-218
Summary Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.4.0 to 2.7.0. Sensitive configuration information has been exposed to authenticated users with the ability to read configuration via Airflow REST API for configuration even when the expose_config option is set to non-sensitive-only. The expose_config option is False by default. It is recommended to upgrade to a version that is not affected if you set expose_config to non-sensitive-only configuration. This is a different error than CVE-2023-45348 which allows authenticated user to retrieve individual configuration values in 2.7.* by specially crafting their request (solved in 2.7.2). Users are recommended to upgrade to version 2.7.2, which fixes the issue and additionally fixes CVE-2023-45348.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00586 https://api.first.org/data/v1/epss?cve=CVE-2023-46288
cvssv3.1 4.3 https://github.com/apache/airflow/pull/32261
cvssv3.1 4.3 https://lists.apache.org/thread/yw4vzm0c5lqkwm0bxv6qy03yfd1od4nw
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-46288
https://github.com/apache/airflow
https://github.com/apache/airflow/commit/4a525e85e31b26d413c986c86d181114bb37bd06
https://github.com/apache/airflow/pull/32261
https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-218.yaml
https://lists.apache.org/thread/yw4vzm0c5lqkwm0bxv6qy03yfd1od4nw
CVE-2023-46288 https://nvd.nist.gov/vuln/detail/CVE-2023-46288
GHSA-9qqg-mh7c-chfq https://github.com/advisories/GHSA-9qqg-mh7c-chfq
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/apache/airflow/pull/32261
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://lists.apache.org/thread/yw4vzm0c5lqkwm0bxv6qy03yfd1od4nw
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.69398
EPSS Score 0.00586
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T20:33:08.869449+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2023-218.yaml 38.6.0