EUVD-2026-33591

Apache Airflow's official documentation at core-concepts/dag-run.html "Passing Parameters when triggering Dags" showed a verbatim BashOperatorbashcommand="echo value: dagrun.conf'conf1' " example without any quoting / sanitization warning. Dag authors who copied the pattern verbatim into...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to allowing users with asset materialize permissions to trigger DAGs outside of their permissions. Remediation Upgrade apache-airflow-core to version 3.2.0b2 or higher. References - Apache Mailing List - GitH...

Improper Encoding (Escaping Of Output)

Apache Airflow is vulnerable to Improper Encoding Escaping of Output. The vulnerability is due to the example DAG exampleinleteventextra.py allowing authenticated attackers with DAG trigger permissions to execute arbitrary commands...

BIT-AIRFLOW-2024-45498 Apache Airflow: Command Injection in an example DAG

Example DAG: exampleinleteventextra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the...

CVE-2024-45498

Example DAG: exampleinleteventextra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the...

CVE-2024-45498 Apache Airflow: Command Injection in an example DAG

Example DAG: exampleinleteventextra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the...

CVE-2024-45498 Apache Airflow: Command Injection in an example DAG

Example DAG: exampleinleteventextra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the...

Apache Airflow 安全漏洞

Apache Airflow is an open source platform for creating, managing and monitoring workflows from the Apache USA Foundation. The platform is characterized by scalability and dynamic monitoring. A security vulnerability exists in Apache Airflow version 2.10.0, which stems from mishandling in the...

PYSEC-2023-266

Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation.As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the executio...