CVE-2020-13927

🗓️ 10 Nov 2020 00:00:00Reported by apacheType

cve🔗 web.nvd.nist.gov📰️ 8 Media mentions👁 1148 Views🌐 WEB

Airflow Experimental API default setting changed to deny all requests, poses security risk

Reporter	Title	Published	Views	Family All 35
0day.today	Apache Airflow 1.10.10 - (Example Dag) Remote Code Execution Exploit	2 Jun 202100:00	–	zdt
0day.today	Apache Airflow 1.10.10 Remote Code Execution Exploit	19 Sep 202300:00	–	zdt
GithubExploit	Exploit for OS Command Injection in Apache Airflow	22 May 202115:58	–	githubexploit
ATTACKERKB	CVE-2020-13927	10 Nov 202000:00	–	attackerkb
Tenable Nessus	Apache Airflow < 1.10.11 Multiple Vulnerabilities	13 Jun 202200:00	–	nessus
BDU FSTEC	The vulnerability of the software component responsible for creating, monitoring, and orchestrating data processing scripts in Airflow allows attackers to circumvent existing access restrictions and execute API requests without authentication.	10 Feb 202200:00	–	bdu_fstec
Circl	CVE-2020-13927	10 Nov 202018:27	–	circl
CISA KEV Catalog	Apache Airflow's Experimental API Authentication Bypass	18 Jan 202200:00	–	cisa_kev
CISA	CISA Adds 13 Known Exploited Vulnerabilities to Catalog	18 Jan 202200:00	–	cisa
CNVD	Apache Airflow Unauthorized Access Vulnerability	12 Nov 202000:00	–	cnvd

NVD

Vulners

Vulnrichment

Node

apache airflowRange<1.10.11

[
  {
    "vendor": "n/a",
    "product": "Apache Airflow",
    "versions": [
      {
        "version": "Apache Airflow <1.10.11",
        "status": "affected"
      }
    ]
  }
]

Source	Link
packetstormsecurity	www.packetstormsecurity.com/files/174764/Apache-Airflow-1.10.10-Remote-Code-Execution.html
packetstormsecurity	www.packetstormsecurity.com/files/162908/Apache-Airflow-1.10.10-Remote-Code-Execution.html
lists	www.lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E
cisa	www.cisa.gov/known-exploited-vulnerabilities-catalog

Parameter	Position	Path	Description	CWE
env	path	/api/experimental/test	Airflow Experimental REST API test endpoint exposed (CVE-2020-13927 context).	CWE-1188, CWE-306, CWE-1056
dag_run	path	/api/experimental/test	Airflow Experimental REST API test endpoint exposed (CVE-2020-13927 context).	CWE-1188, CWE-306, CWE-1056
message	path	/api/experimental/test	Airflow Experimental REST API test endpoint exposed (CVE-2020-13927 context).	CWE-1188, CWE-306, CWE-1056
conf	path	/api/experimental/test	Airflow Experimental REST API test endpoint exposed (CVE-2020-13927 context).	CWE-1188, CWE-306, CWE-1056
env	path	/api/experimental/dags/example_trigger_target_dag/tasks/bash_task	Access to example_trigger_target_dag bash_task which may be used to trigger RCE when combined with vulnerable API exposure.	CWE-1188, CWE-306, CWE-1056
dag_run	path	/api/experimental/dags/example_trigger_target_dag/tasks/bash_task	Access to example_trigger_target_dag bash_task which may be used to trigger RCE when combined with vulnerable API exposure.	CWE-1188, CWE-306, CWE-1056
paused	path	/api/experimental/dags/example_trigger_target_dag/paused/false	API call to unpause the vulnerable DAG; could enable abuse via exposed experimental API.	CWE-1188, CWE-306, CWE-1056
conf	request body	/api/experimental/dags/example_trigger_target_dag/dag_runs	Create a new vulnerable DAG run via the experimental API with payload conf containing a message used for command injection.	CWE-1188, CWE-306, CWE-1056
message	request body	/api/experimental/dags/example_trigger_target_dag/dag_runs	Create a new vulnerable DAG run via the experimental API with payload conf containing a message used for command injection.	CWE-1188, CWE-306, CWE-1056

17 Jun 2026 02:53Current

9.2High risk

Vulners AI Score9.2

CVSS 27.5

CVSS 3.19.8

EPSS0.997

SSVC

airflow api security risk configuration authentication nvd cve-2020-13927