ROOT-APP-PYPI-CVE-2023-25692 CVE-2023-25692 in rootio-apache-airflow-providers-google - Patched by Root

Root has patched CVE-2023-25692 in the rootio-apache-airflow-providers-google package for Root:PyPI. Multiple fixed versions available...

ROOT-APP-PYPI-CVE-2025-30473 CVE-2025-30473 in rootio-apache-airflow-providers-common-sql - Patched by Root

Root has patched CVE-2025-30473 in the rootio-apache-airflow-providers-common-sql package for Root:PyPI. Multiple fixed versions available...

apache-airflow-providers-amazon (>=9.7.0 <=9.8.0rc1), arrow-pd-parser (>=1.0.0 <=1.0.4) +43 more potentially affected by CVE-2026-8838 via redshift-connector (>=2.0.888 <=2.1.13)

redshift-connector PYPI version =2.0.888, =9.7.0, =1.0.0, =0.1.1, =2.0.0, =0.1.7, =0.31.6, =0.1.17, =2.3.0.dev3, =1.0.0a2, =0.4.0, =0.0.1, =0.3.64, =6.1.2, =0.5.2, =1.5.0, =1.9.1 and more Source cves: CVE-2026-8838 Source advisory: OSV:GHSA-29H4-R29X-HCHV...

apache-airflow-providers-edge3 (>=1.1.0 <=1.1.1rc1), dmp-af (>=0.15.0 <=0.16.0) +1 more potentially affected by CVE-2026-46745 via apache-airflow-providers-fab (=3.6.4)

apache-airflow-providers-fab PYPI version =3.6.4 is affected by a known vulnerability. The following packages have a transitive dependency on apache-airflow-providers-fab and may be impacted: - apache-airflow-providers-edge3 =1.1.0, =0.15.0, =1.11.0.0, =1.13.0.0rc1 Source cves: CVE-2026-46745...

gps-building-blocks (=1.2.2) potentially affected by CVE-2026-45361 via apache-airflow-providers-google (=1.0.0)

apache-airflow-providers-google PYPI version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on apache-airflow-providers-google and may be impacted: - gps-building-blocks =1.2.2 Source cves: CVE-2026-45361 Source advisory: OSV:PYSEC-2026-166...

CVE-2026-43826

The CVE-2026-43826 affects the OpenSearch logging provider used with Apache Airflow providers-opensearch. When the host URL includes embedded credentials (for example https://user:password@server:9200), the provider writes the full host URL, including credentials, to task logs. This allows any us...

CVE-2026-40948 Apache Airflow Providers Keycloak: OAuth Login CSRF — Missing State Parameter in Keycloak Auth Manager

The Keycloak authentication manager in apache-airflow-providers-keycloak did not generate or validate the OAuth 2.0 state parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's...

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +37 more potentially affected by CVE-2026-30912 via apache-airflow-core (>=3.0.0 <=3.1.8rc2)

apache-airflow-core PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =3.12.0rc1 and more Source cves: CVE-2026-30912 Source advisory: OSV:GHSA-W7CF-2PMC-5M4C...

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +37 more potentially affected by CVE-2026-32690 via apache-airflow (>=3.0.0 <=3.1.8)

apache-airflow PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =3.12.0rc1 and more Source cves: CVE-2026-32690 Source advisory: OSV:GHSA-W9R4-94FJ-XP69...

airflow-clickhouse-plug (=1.6.2), airflow-clickhouse-plugin (=1.6.0) +18 more potentially affected by CVE-2026-33858 via apache-airflow-core (>=3.1.8 <=3.2.0b2)

apache-airflow-core PYPI version =3.1.8, =0.6.0, =3.1.8, =1.0.2, =0.0.13, =10.13.0, =1.1.8, =0.0.4, =0.1.0, =12.9.0, =7.1.0, =1.15.20, =1.2.4, =1.9.17, =1.10.13 and more Source cves: CVE-2026-33858 Source advisory: SNYK:PYTHON-APACHEAIRFLOWCORE-16032065...

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +37 more potentially affected by CVE-2025-66236 via apache-airflow (>=3.0.0 <=3.1.8)

apache-airflow PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =3.12.0rc1 and more Source cves: CVE-2025-66236 Source advisory: OSV:GHSA-J86X-FWP2-QH7V...

airflow-tools (>=0.9.0 <=0.11.0), dataflow-airflow (>=2.10.3 <=2.10.9) +2 more potentially affected by CVE-2026-28779 via apache-airflow-providers-amazon (>=9.0.0 <=9.17.0)

apache-airflow-providers-amazon PYPI version =9.0.0, =0.9.0, =2.10.3, =0.0.1rc1, =2.10.7, =2.10.11rc5 Source cves: CVE-2026-28779 Source advisory: SNYK:PYTHON-APACHEAIRFLOWPROVIDERSAMAZON-15674487...

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plugin (=1.5.0) +28 more potentially affected by CVE-2026-28563 via apache-airflow (>=3.0.0 <=3.1.7)

apache-airflow PYPI version =3.0.0, =0.7.0, =0.6.1, =1.10.7, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =0.0.4, =2.0.2, =2.3.0rc1 and more Source cves: CVE-2026-28563 Source advisory: OSV:PYSEC-2026-15...

airflow-clickhouse-plugin (>=1.3.0 <=1.4.0), airflow-dagfactory (=0.19.1) +28 more potentially affected by CVE-2025-69219 via apache-airflow-providers-http (>=5.2.1 <=6.0.0)

apache-airflow-providers-http PYPI version =5.2.1, =1.3.0, =0.0.1, =0.0.9, =0.9.2, =2.9.0, =1.0.0, =0.1.34, =2.10.3, =1.7.3, =1.8.0rc2, =4.3.0, =5.1.1 and more Source cves: CVE-2025-69219 Source advisory: SNYK:PYTHON-APACHEAIRFLOWPROVIDERSHTTP-15441017...

abi-ds-utils (=1.0.1), acryl-datahub-airflow-plugin (>=0.8.44.4 <=0.11.0rc1) +71 more potentially affected by CVE-2025-69219 via apache-airflow-providers-http (>=1.1.1 <=5.5.0)

apache-airflow-providers-http PYPI version =1.1.1, =0.8.44.4, =0.1.0rc3, =0.1.0, =0.2.1, =0.2.3, =0.6.0, =0.2.0, =0.1.0, =0.0.1, =0.0.3, =1.1.0, =1.1.1 and more Source cves: CVE-2025-69219 Source advisory: OSV:GHSA-9R5J-7R2X-RV4G...

apache-airflow-core (>=3.1.0 <=3.1.6), apache-airflow-providers-common-compat (>=1.6.0 <=1.7.3rc1) +14 more potentially affected by CVE-2026-22922 via apache-airflow (>=3.1.0 <=3.1.6)

apache-airflow PYPI version =3.1.0, =3.1.0, =1.6.0, =1.5.3, =1.26.0, =2.0.2, =0.4.0, =1.1.0, =12.0.0, =7.0.0, =1.15.0, =0.34.0, =1.9.0, =1.37.0, =1.26.0, =1.26.8 and more Source cves: CVE-2026-22922 Source advisory: OSV:GHSA-PM44-X5X7-24C4...

apache-airflow (>=3.0.0 <=3.0.4rc2), apache-airflow-providers-common-sql (>=1.25.0 <=1.25.0rc1) +3 more potentially affected by CVE-2025-54941 via apache-airflow-core (>=3.0.0 <=3.0.4rc2)

apache-airflow-core PYPI version =3.0.0, =3.0.0, =1.25.0, =1.0.0, =1.16.0, =1.0.6, =1.0.9 Source cves: CVE-2025-54941 Source advisory: SNYK:PYTHON-APACHEAIRFLOWCORE-13786421...

SQL Injection

apache-airflow-providers-snowflake is vulnerable to SQL Injection. The vulnerability is due to failure to sanitize special elements due to improper sanitation of table and stage parameters in the CopyFromExternalStageToSnowflakeOperator component...

airflow-oracle-snowflake-plugin (>=0.1.0 <=0.1.2), airflow-provider-cloe (>=20221202.9.0 <=20221202.13.0) +3 more potentially affected by CVE-2025-50213 via apache-airflow-providers-snowflake (>=1.1.0 <=6.13.0)

apache-airflow-providers-snowflake PYPI version =1.1.0, =0.1.0, =20221202.9.0, =0.0.4, =0.1.0, =0.1.1 Source cves: CVE-2025-50213 Source advisory: OSV:PYSEC-2025-51...

airflow-provider-cloe (>=20221202.9.0 <=20221202.13.0), astronomer-providers (=1.0.0) +1 more potentially affected by CVE-2025-50213 via apache-airflow-providers-snowflake (=6.13.0)

apache-airflow-providers-snowflake PYPI version =6.13.0 is affected by a known vulnerability. The following packages have a transitive dependency on apache-airflow-providers-snowflake and may be impacted: - airflow-provider-cloe =20221202.9.0, =0.1.0, =0.1.1 Source cves: CVE-2025-50213 Source...