8 matches found
PYSEC-2026-10
In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result,...
Incorrect Resource Transfer Between Spheres
Overview apache-airflow-providers-edge3 is a Provider package apache-airflow-providers-edge3 for Apache Airflow Affected versions of this package are vulnerable to Incorrect Resource Transfer Between Spheres via the Edge3 Worker RPC. An attacker can execute arbitrary code in the web-server contex...
GHSA-66H8-3G48-6HX8 Apache Airflow Providers Edge3 exposes internal API allowing RCE in web server context
Edge3 Worker RPC RCE on Airflow 2. This issue affects Apache Airflow Providers Edge3: before 2.0.0 - and only if projects installed and configured it on Airflow 2. The Edge3 provider support in Airflow 2 has been always development-only and not officially released, however if projects installed a...
Apache Airflow Providers Edge3 exposes internal API allowing RCE in web server context
Edge3 Worker RPC RCE on Airflow 2. This issue affects Apache Airflow Providers Edge3: before 2.0.0 - and only if projects installed and configured it on Airflow 2. The Edge3 provider support in Airflow 2 has been always development-only and not officially released, however if projects installed a...
PYSEC-2025-87
Edge3 Worker RPC RCE on Airflow 2.This issue affects Apache Airflow Providers Edge3: before 2.0.0 - and only if you installed and configured it on Airflow 2.The Edge3 provider support in Airflow 2 has been always development-only and not officially released, however if you installed and configure...
CVE-2025-67895 Apache Airflow Providers Edge3: Edge3 Worker RPC RCE on Airflow 2
Edge3 Worker RPC RCE on Airflow 2. This issue affects Apache Airflow Providers Edge3: before 2.0.0 - and only if you installed and configured it on Airflow 2. The Edge3 provider support in Airflow 2 has been always development-only and not officially released, however if you installed and...
PT-2025-51824
Name of the Vulnerable Software and Affected Versions Apache Airflow Providers Edge3 versions prior to 2.0.0 Description The Edge3 provider for Apache Airflow 2 contains an issue that allows a Dag author to perform Remote Code Execution RCE in the webserver context through a non-public API. This...
PYSEC-2021-122
If remote logging is not used, the worker in the case of CeleryExecutor or the scheduler in the case of LocalExecutor runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG...