CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 2026/06/05 7:47 p.m.•8 views

CVE-2026-45426

Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at least one Dag. Apache Airflow's Log server authorized JWT tokens against Dag IDs by applying Python's str.lstrip to the requested path segment when verifying the JWT's sub...

3.1CVSS5.5AI score0.00344EPSS

RedhatCVE•added 2026/06/05 7:46 p.m.•8 views

CVE-2026-33858

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0,...

8.8CVSS5.9AI score0.0056EPSS

8.8CVSS5.5AI score0.00488EPSS

BIT-AIRFLOW-2026-49298 Apache Airflow: JWT Token Exposure in KubernetesExecutor Command-Line Arguments

A bug in Apache Airflow's KubernetesExecutor caused JWT tokens used by worker pods to authenticate against the Execution API to be passed to the worker container as command-line arguments visible in the pod spec. An authenticated UI/API user with Kubernetes read-only access to the cluster e.g...

OSV•added 2026/06/05 5:40 a.m.•5 views

BIT-AIRFLOW-2026-42359 Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator

A bug in Apache Airflow's XCom PATCH endpoint PATCH /api/v2/xcomEntries/key allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names e.g. returnvalue that the matching POST endpoint already validated against FORBIDDENXCOMKEYS. The...

8.8CVSS5.6AI score0.0056EPSS

5.9CVSS5.5AI score0.00265EPSS

BIT-AIRFLOW-2026-41017 Apache Airflow: JWT cookie missing Secure flag in JWTRefreshMiddleware behind HTTPS-terminating proxy

Apache Airflow's JWTRefreshMiddleware set the JWT auth cookie without the Secure flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy e.g. nginx / Envoy / a managed load balancer that terminates TLS and forwards plaintext to the API server, the default...

3.1CVSS5.5AI score0.00459EPSS

BIT-AIRFLOW-2026-40963 Apache Airflow: DAG authorization bypass on /ui/structure/structure_data

The structuredata endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other...

6.5CVSS5.6AI score0.00665EPSS

BIT-AIRFLOW-2026-40861 Apache Airflow: Arbitrary File Read via Log Symlink following in FileTaskHandler

A Dag author could either a create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process read-path attack — e.g. /etc/passwd or airflow.cfg or b supply a taskid containing .. sequences accepted by the Task SDK's KEYREGEX write-path attack, and...

RedhatCVE•added 2026/06/02 10:3 p.m.•10 views

CVE-2026-42252

Apache Airflow's official documentation at core-concepts/dag-run.html "Passing Parameters when triggering Dags" showed a verbatim BashOperatorbashcommand="echo value: dagrun.conf'conf1' " example without any quoting / sanitization warning. Dag authors who copied the pattern verbatim into...

9.1CVSS5.8AI score0.00369EPSS

RedhatCVE•added 2026/06/02 10:3 p.m.•13 views

CVE-2026-41017

5.9CVSS5.9AI score0.00265EPSS

RedhatCVE•added 2026/06/02 10:3 p.m.•11 views

CVE-2026-40861

6.5CVSS5.9AI score0.00665EPSS

Snyk•added 2026/06/01 10:29 a.m.•6 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the bulk Task Instances API PATCH/DELETE /api/v2/dags/dagid/dagRuns/dagrunid/taskInstances that evaluates authorization against the dagid resolved from the URL path while operating on...

8.7CVSS5.5AI score0.00458EPSS

Exploits0References2

Snyk•added 2026/06/01 10:29 a.m.•4 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the XCom PATCH endpoint PATCH /api/v2/xcomEntries/key that allows an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names e.g. returnvalue that...

8.8CVSS5.6AI score0.0055EPSS

Exploits0References2

NVD•added 2026/06/01 9:16 a.m.•14 views

CVE-2026-48726

A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for FabAuthManager and KeycloakAuthManager did not actually reach the underlying revoketoken call, so the JWT remained accepted by the API server...

6.5CVSS0.00368EPSS

NVD•added 2026/06/01 9:16 a.m.•14 views

CVE-2026-41014

The partitioneddagruns endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to...

4.3CVSS0.00352EPSS

NVD•added 2026/06/01 9:16 a.m.•12 views

CVE-2026-42359

8.8CVSS0.0055EPSS