CVE-2026-27173

JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of...

CVE-2026-27173

JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of...

PT-2026-42001

Name of the Vulnerable Software and Affected Versions Apache Airflow affected versions not specified Description JWT tokens used by workers in Kubernetes Executors are exposed to users with read-only access to Kubernetes Pods. This exposure allows users with limited permissions to perform actions...

Insertion of Sensitive Information into Log File

Overview apache-airflow-task-sdk is a The Apache Airflow Task SDK includes interfaces for Dag authors and Task execution logic for Python. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File which had masksecret applied. The DAG run logs UI exposes...

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plugin (=1.5.0) +20 more potentially affected by CVE-2025-66236 via apache-airflow-task-sdk (>=1.0.0 <=1.1.4)

apache-airflow-task-sdk PYPI version =1.0.0, =0.7.0, =0.6.1, =1.10.7, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =0.0.4, =0.0.6.dev1 and more Source cves: CVE-2025-66236 Source advisory: SNYK:PYTHON-APACHEAIRFLOWTASKSDK-16032067...

apache-airflow (>=3.2.0b1 <=3.2.0b2), apache-airflow-core (>=3.2.0b1 <=3.2.0b2) +1 more potentially affected by CVE-2026-33858 via apache-airflow-task-sdk (>=1.2.0b1 <=1.2.0b2)

apache-airflow-task-sdk PYPI version =1.2.0b1, =3.2.0b1, =3.2.0b1, =10.13.0rc3, =10.16.0rc1 Source cves: CVE-2026-33858 Source advisory: SNYK:PYTHON-APACHEAIRFLOWTASKSDK-16032066...

Deserialization of Untrusted Data

Overview apache-airflow-task-sdk is a The Apache Airflow Task SDK includes interfaces for Dag authors and Task execution logic for Python. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the XCom API. A privileged DAG Author can execute code on the...

MAL-2026-2079 Malicious code in @emilgroup/task-sdk-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d10e089e1ab5774c571e6a0f5c650a044301456e9558509c051d38dce51eac73 The package @emilgroup/task-sdk-node was found to contain malicious code. Source: ghsa-malware...

MAL-2026-2078 Malicious code in @emilgroup/task-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e4aef8ca2987206595d5c54a2df6265669bdb67ca99915bb763ac38f2d6a46d7 The package @emilgroup/task-sdk was found to contain malicious code. Source: ghsa-malware...

Malicious code in @emilgroup/task-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e4aef8ca2987206595d5c54a2df6265669bdb67ca99915bb763ac38f2d6a46d7 The package @emilgroup/task-sdk was found to contain malicious code. Source: ghsa-malware...

Embedded Malicious Code

Overview @emilgroup/task-sdk is an A new version of the package Affected versions of this package are vulnerable to Embedded Malicious Code. The publishing pipeline of this package was compromised as the result of Trivy's GitHub Actions compromise and a malicious versions were released on NPM. Th...

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plugin (=1.5.0) +20 more potentially affected by CVE-2025-65995 via apache-airflow-task-sdk (>=1.0.0 <=1.1.4)

apache-airflow-task-sdk PYPI version =1.0.0, =0.7.0, =0.6.1, =1.10.7, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =0.0.4, =0.0.6.dev1 and more Source cves: CVE-2025-65995 Source advisory: SNYK:PYTHON-APACHEAIRFLOWTASKSDK-15325636...

Insertion of Sensitive Information into Log File

Overview apache-airflow-task-sdk is a The Apache Airflow Task SDK includes interfaces for Dag authors and Task execution logic for Python. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the proxies and proxy fields in a Connection. An...

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plugin (=1.5.0) +28 more potentially affected by CVE-2025-68675 via apache-airflow-task-sdk (>=1.0.0 <=1.1.6)

apache-airflow-task-sdk PYPI version =1.0.0, =0.7.0, =0.6.1, =1.10.7, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =0.0.4, =0.0.6.dev1 and more Source cves: CVE-2025-68675 Source advisory: SNYK:PYTHON-APACHEAIRFLOWTASKSDK-15032621...

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plugin (=1.5.0) +28 more potentially affected by CVE-2025-68438 via apache-airflow-task-sdk (>=1.0.0 <=1.1.6)

apache-airflow-task-sdk PYPI version =1.0.0, =0.7.0, =0.6.1, =1.10.7, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =0.0.4, =0.0.6.dev1 and more Source cves: CVE-2025-68438 Source advisory: SNYK:PYTHON-APACHEAIRFLOWTASKSDK-15032537...

Improper Removal of Sensitive Information Before Storage or Transfer

Overview apache-airflow-task-sdk is a The Apache Airflow Task SDK includes interfaces for Dag authors and Task execution logic for Python. Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer via the serialization for rendered...

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plugin (=1.5.0) +20 more potentially affected by CVE-2025-66388 via apache-airflow-task-sdk (>=1.0.0rc4 <=1.1.4)

apache-airflow-task-sdk PYPI version =1.0.0rc4, =0.7.0, =0.6.1, =1.10.7, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0rc3, =3.0.0rc3, =1.6.0, =1.5.3, =1.25.0rc1, =3.12.0, =0.0.4, =0.0.6.dev1 and more Source cves: CVE-2025-66388 Source advisory: SNYK:PYTHON-APACHEAIRFLOWTASKSDK-14459396...

apache-airflow (>=3.0.0 <=3.0.4rc2), apache-airflow-providers-common-sql (>=1.25.0 <=1.25.0rc1) +3 more potentially affected by CVE-2025-54941 via apache-airflow-core (>=3.0.0 <=3.0.4rc2)

apache-airflow-core PYPI version =3.0.0, =3.0.0, =1.25.0, =1.0.0, =1.16.0, =1.0.6, =1.0.9 Source cves: CVE-2025-54941 Source advisory: SNYK:PYTHON-APACHEAIRFLOWCORE-13786421...

apache-airflow-core (>=3.0.3 <=3.0.3rc6), apache-airflow-task-sdk (=1.0.3) potentially affected by CVE-2025-54831 via apache-airflow (>=3.0.3 <=3.0.3rc6)

apache-airflow PYPI version =3.0.3, =3.0.3, =3.0.3rc6 - apache-airflow-task-sdk =1.0.3 Source cves: CVE-2025-54831 Source advisory: OSV:GHSA-Q475-2PGM-7HVP...