76 matches found
abi-ds-utils (=1.0.1), acceldata-o2a (=1.0.0) +162 more potentially affected by CVE-2026-45360 via apache-airflow (>=1.8.2 <=3.2.1rc3)
apache-airflow PYPI version =1.8.2, =0.8.44.4, =1.4.0.3.post4, =1.4.0.3.post3, =0.1.0rc3, =0.1.0, =0.2.1, =0.2.9b1, =0.4.0, =0.1.0a1, =0.6.0, =1.6.0 and more Source cves: CVE-2026-45360 Source advisory: OSV:PYSEC-2026-186...
airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +38 more potentially affected by CVE-2026-45426 via apache-airflow (>=3.0.0 <=3.2.1rc3)
apache-airflow PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =3.12.0rc1 and more Source cves: CVE-2026-45426 Source advisory: OSV:PYSEC-2026-174...
airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +38 more potentially affected by CVE-2026-41017 via apache-airflow (>=3.0.0 <=3.2.1rc3)
apache-airflow PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =3.12.0rc1 and more Source cves: CVE-2026-41017 Source advisory: OSV:PYSEC-2026-171...
apache-airflow-core (>=3.2.0 <=3.2.1), apache-airflow-providers-google (=5.0.0) +10 more potentially affected by CVE-2026-41084 via apache-airflow (>=3.2.0 <=3.2.1rc3)
apache-airflow PYPI version =3.2.0, =3.2.0, =1.2.0, =13.0.2, =7.2.0, =1.18.3, =1.4.2, =2.1.1, =1.10.3, =1.41.2, =1.28.2, =5.6.2, =5.7.16rc1 Source cves: CVE-2026-41084 Source advisory: OSV:PYSEC-2026-183...
airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +38 more potentially affected by CVE-2026-42252 via apache-airflow (>=3.0.0 <=3.2.1rc3)
apache-airflow PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =3.12.0rc1 and more Source cves: CVE-2026-42252 Source advisory: OSV:PYSEC-2026-184...
Apache Airflow security vulnerabilities
Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. Versions of Apache Airflow prior to 3.2.2 contained security vulnerabilities. These vulnerabilities stemmed from a lack of checks...
airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +38 more potentially affected by CVE-2026-38743 via apache-airflow-core (>=3.0.0 <=3.2.1)
apache-airflow-core PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =3.12.0rc1 and more Source cves: CVE-2026-38743 Source advisory: SNYK:PYTHON-APACHEAIRFLOWCORE-16425769...
airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +37 more potentially affected by CVE-2026-32228 via apache-airflow-core (>=3.0.0 <=3.1.8rc2)
apache-airflow-core PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =3.12.0rc1 and more Source cves: CVE-2026-32228 Source advisory: OSV:GHSA-H97W-PM3W-MWMC...
airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +37 more potentially affected by CVE-2026-32228 via apache-airflow-core (>=3.0.0 <=3.2.0b1)
apache-airflow-core PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =3.12.0rc1 and more Source cves: CVE-2026-32228 Source advisory: SNYK:PYTHON-APACHEAIRFLOWCORE-16132854...
airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +37 more potentially affected by CVE-2026-34538 via apache-airflow (>=3.0.0 <=3.1.8)
apache-airflow PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =3.12.0rc1 and more Source cves: CVE-2026-34538 Source advisory: OSV:GHSA-R7VR-M4JW-R794...
PYSEC-2026-21
Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with the security mode...
airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +37 more potentially affected by CVE-2026-34538 via apache-airflow (>=3.0.0 <=3.1.8)
apache-airflow PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =3.12.0rc1 and more Source cves: CVE-2026-34538 Source advisory: OSV:PYSEC-2026-21...
Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications
Apache Airflow versions 3.1.0 through 3.1.7 session token token in cookies is set to path=/ regardless of the configured webserver baseurl or api baseurl. This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, allowing full...
EUVD-2026-12566
Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop HITL endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance. Users are recommended to upgrade to...
EUVD-2026-12564
Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view. Users are recommended to...
Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata
Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dagid set to "" wildcard for all DAGs. As a result, version metadata of DAGs that the requester is not authorized to access is returned. Users ar...
airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plugin (=1.5.0) +28 more potentially affected by CVE-2026-26929 via apache-airflow (>=3.0.0 <=3.1.7)
apache-airflow PYPI version =3.0.0, =0.7.0, =0.6.1, =1.10.7, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =0.0.4, =2.0.2, =2.3.0rc1 and more Source cves: CVE-2026-26929 Source advisory: OSV:GHSA-4M3H-WP5W-5HQH...
airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plugin (=1.5.0) +28 more potentially affected by CVE-2026-28563 via apache-airflow (>=3.0.0 <=3.1.7)
apache-airflow PYPI version =3.0.0, =0.7.0, =0.6.1, =1.10.7, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =0.0.4, =2.0.2, =2.3.0rc1 and more Source cves: CVE-2026-28563 Source advisory: OSV:PYSEC-2026-15...
CVE-2026-28779
Apache Airflow versions 3.1.0 through 3.1.7 session token token in cookies is set to path=/ regardless of the configured webserver baseurl or api baseurl. This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, allowing full...
PYSEC-2026-15
Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view.Users are recommended to...