4 matches found
CVE-2026-33858
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0,...
PT-2026-45371
Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.2.2 Description A bug in the XCom PATCH endpoint "PATCH /api/v2/xcomEntries/key" allows an authenticated UI/API user with XCom write permission on a Dag to set XCom entries using reserved key names, such as...
airflow-clickhouse-plug (=1.6.2), airflow-clickhouse-plugin (=1.6.0) +19 more potentially affected by CVE-2026-33858 via apache-airflow-core (>=3.1.8 <=3.2.0b2)
apache-airflow-core PYPI version =3.1.8, =0.6.0, =0.2.0, =3.1.8, =1.0.2, =0.0.13, =10.13.0, =1.1.8, =0.0.4, =0.1.0, =12.9.0, =7.1.0, =1.15.20, =1.2.4, =1.6.6rc1 and more Source cves: CVE-2026-33858 Source advisory: SNYK:PYTHON-APACHEAIRFLOWCORE-16032065...
airflow-clickhouse-plug (=1.6.2), airflow-clickhouse-plugin (=1.6.0) +19 more potentially affected by CVE-2026-33858 via apache-airflow (=3.1.8)
apache-airflow PYPI version =3.1.8 is affected by a known vulnerability. The following packages have a transitive dependency on apache-airflow and may be impacted: - airflow-clickhouse-plug =1.6.2 - airflow-clickhouse-plugin =1.6.0 - airflow-dbt-winwin =0.6.0, =0.2.0, =1.0.2, =0.0.13, =10.13.0,...