Lucene search
K

14 matches found

OSV
OSV
added 4 days ago4 views

PYSEC-2026-269 Apache Airflow: JWT token still valid after logout

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario...

9.1CVSS5.7AI score0.00667EPSS
Exploits0References8
RedhatCVE
RedhatCVE
added 2026/04/20 7:23 p.m.4 views

CVE-2026-32228

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue...

7.5CVSS5.8AI score0.00426EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/18 6:19 a.m.2 views

CVE-2026-32228 Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue...

5.7AI score0.00426EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/18 12:0 a.m.14 views

PT-2026-33594

Name of the Vulnerable Software and Affected Versions Airflow versions prior to 3.2.0 Description A user with asset materialize permission via the UI or API can trigger DAGs Directed Acyclic Graphs, which are collections of all the tasks you want to run, organized in a way that reflects their...

7.5CVSS5.8AI score0.00426EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/04/16 1:31 p.m.8 views

CVE-2026-31987

JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue...

5.8AI score0.00739EPSS
Exploits0References5Affected Software1
NVD
NVD
added 2026/04/15 4:17 a.m.3 views

CVE-2025-54550

The example examplexcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of code on the worker. Since the UI users are already highly...

8.1CVSS0.00579EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/13 3:31 p.m.6 views

EUVD-2026-21978

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0,...

8.8CVSS6.1AI score0.00592EPSS
Exploits0References3
OSV
OSV
added 2026/04/13 3:31 p.m.4 views

GHSA-J86X-FWP2-QH7V Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI

Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enough, even though...

5.3CVSS5.8AI score0.00439EPSS
Exploits0References7
PyPA
PyPA
added 2026/04/13 3:17 p.m.11 views

PYSEC-2026-20

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.Users are recommended to upgrade to Apache Airflow 3.2.0, whi...

8.8CVSS6.1AI score0.00592EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/13 2:36 p.m.4 views

CVE-2026-33858

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0,...

8.8CVSS6.1AI score0.00592EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/04/13 2:36 p.m.24 views

CVE-2026-33858 Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0,...

0.00592EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/13 2:20 p.m.24 views

CVE-2025-66236 Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI

Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enough, even though...

0.00439EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/13 12:0 a.m.6 views

PT-2026-32371

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.2.0 Description Dag Authors can craft a malicious XCom payload that allows them to execute arbitrary code within the webserver context, bypassing the standard restriction that prevents them from executing cod...

8.8CVSS6.1AI score0.00592EPSS
Exploits0References20
Positive Technologies
Positive Technologies
added 2026/04/09 12:0 a.m.8 views

PT-2026-31598

Name of the Vulnerable Software and Affected Versions Apache Airflow versions 3.0.0 through 3.1.8 Description The DagRun wait endpoint in Apache Airflow allows users with DAG Run read permissions, such as the Viewer role, to access XCom result values. This behavior contradicts the intended securi...

6.5CVSS5.8AI score0.00685EPSS
Exploits0References12
Rows per page
Query Builder