apache-airflow-providers-amazon (>=9.7.0 <=9.8.0rc1), arrow-pd-parser (>=1.0.0 <=1.0.4) +43 more potentially affected by CVE-2026-8838 via redshift-connector (>=2.0.888 <=2.1.13)

redshift-connector PYPI version =2.0.888, =9.7.0, =1.0.0, =0.1.1, =2.0.0, =0.1.7, =0.31.6, =0.1.17, =2.3.0.dev3, =1.0.0a2, =0.4.0, =0.0.1, =0.3.64, =6.1.2, =0.5.2, =1.5.0, =1.9.1 and more Source cves: CVE-2026-8838 Source advisory: OSV:GHSA-29H4-R29X-HCHV...

gps-building-blocks (=1.2.2) potentially affected by CVE-2026-45361 via apache-airflow-providers-google (=1.0.0)

apache-airflow-providers-google PYPI version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on apache-airflow-providers-google and may be impacted: - gps-building-blocks =1.2.2 Source cves: CVE-2026-45361 Source advisory: OSV:PYSEC-2026-166...

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +37 more potentially affected by CVE-2026-32690 via apache-airflow (>=3.0.0 <=3.1.8)

apache-airflow PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =3.12.0rc1 and more Source cves: CVE-2026-32690 Source advisory: OSV:GHSA-W9R4-94FJ-XP69...

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plugin (=1.5.0) +28 more potentially affected by CVE-2026-28563 via apache-airflow (>=3.0.0 <=3.1.7)

apache-airflow PYPI version =3.0.0, =0.7.0, =0.6.1, =1.10.7, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =0.0.4, =2.0.2, =2.3.0rc1 and more Source cves: CVE-2026-28563 Source advisory: OSV:PYSEC-2026-15...

SQL Injection

apache-airflow-providers-snowflake is vulnerable to SQL Injection. The vulnerability is due to failure to sanitize special elements due to improper sanitation of table and stage parameters in the CopyFromExternalStageToSnowflakeOperator component...

airflow-oracle-snowflake-plugin (>=0.1.0 <=0.1.2), airflow-provider-cloe (>=20221202.9.0 <=20221202.13.0) +3 more potentially affected by CVE-2025-50213 via apache-airflow-providers-snowflake (>=1.1.0 <=6.13.0)

apache-airflow-providers-snowflake PYPI version =1.1.0, =0.1.0, =20221202.9.0, =0.0.4, =0.1.0, =0.1.1 Source cves: CVE-2025-50213 Source advisory: OSV:PYSEC-2025-51...

aggregation-agent (>=0.1.2 <=0.1.11), airflow-add-ons (>=0.2.7 <=0.2.15) +123 more potentially affected by CVE-2025-5279 via redshift-connector (>=2.0.888 <=2.1.2)

redshift-connector PYPI version =2.0.888, =0.1.2, =0.2.7, =0.0.1, =0.1.0, =0.1.0, =0.1.0, =0.0.3, =0.1.0, =3.1.0rc1, =1.0.0, =1.0.4 - arrowjet =0.1.0 - astronomer-providers =1.0.0 - authz-analyzer =0.1.1 and more Source cves: CVE-2025-5279 Source advisory: OSV:GHSA-R244-WG5G-6W2R...

acryl-datahub-airflow-plugin (>=0.10.5.2rc3 <=0.11.0rc1), aind-airflow-jobs (>=0.2.1 <=0.2.6) +22 more potentially affected by CVE-2025-30473 via apache-airflow-providers-common-sql (>=1.0.0 <=1.20.0)

apache-airflow-providers-common-sql PYPI version =1.0.0, =0.10.5.2rc3, =0.2.1, =0.11.0, =0.2.0, =0.0.1, =0.0.1, =0.3.1, =0.0.4, =0.0.1a0, =2.6.0, =1.0.0rc1, =0.0.36, =1.0.0rc1, =1.0.0, =2.5.1rc1 and more Source cves: CVE-2025-30473 Source advisory: SNYK:PYTHON-APACHEAIRFLOWPROVIDERSCOMMONSQL-9667...

SQL Injection

apacheairflowprovidersmysql is vulnerable to SQL Injection. The vulnerability is due to insufficient input validation and improper sanitization of user-supplied input in the dumpsql and loadsql functions, allowing attackers to inject and execute unintended SQL commands...

Malicious code in apache-airflow-providers-edge (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a9db9c9532f0405358d9eba42b9f1e7702f9d5f1878e60e1d6e0d94f7154368b The package looks like a beginning for a further work. In fact, the uploader has shortly published a few similar packages appearing to be e.g. an integration f...

CVE-2024-42447

Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 when used with Apache Airflow 2.9.3 and FAB 1.2.0 for all Airflow versions. The FAB provider prevented the user from logging out. FAB provider 1.2.1 only affected...

aind-airflow-jobs (>=0.2.1 <=0.2.6), airflow-tools (>=0.3.1 <=0.6.3) +5 more potentially affected by CVE-2024-28746 via apache-airflow (>=2.8.0 <=2.8.2)

apache-airflow PYPI version =2.8.0, =0.2.1, =0.3.1, =1.0.0rc1, =1.0.0rc1, =1.0.0, =1.1.0.post0.dev45, =1.1.3.post0.dev5 Source cves: CVE-2024-28746 Source advisory: OSV:PYSEC-2024-46...

Cleartext Storage Of Sensitive Information

apache-airflow & apache-airflow-providers-cncf-kubernetes are vulnerable to Cleartext Storage Of Sensitive Information. The vulnerability is due to the storage of configuration files without encryption, and plaintext logging of configuration details, allowing an attacker to access the kubernetes...

Arbitrary File Read

apache-airflow-providers-apache-spark is vulnerable to Arbitrary File Read. The vulnerability exists because the preparecommand function of sqoop.py does not properly validate the connection host field, which allows an attacker to pass malicious query param containing ?, leading to reading...

Arbitrary File Read

apache-airflow-providers-apache-drill is vulnerable to Arbitrary File Read. The vulnerability exists because the getconn function of drill.py allows database URL's with unescaped parameters allowing an attacker to read arbitrary files when establishing a connection with the DrillHook...

Information Disclosure

apacheairflowprovidersamazon is vulnerable to Information Disclosure. A remote unauthenticated attacker is able to gain access to confidential data due to error messages containing sensitive information, resulting in the disclosure of sensitive information...

airflow-add-ons (>=0.2.3 <=0.2.9b2), airflow-poetry-test (>=0.1.0 <=0.1.2) +5 more potentially affected by CVE-2023-25956 via apache-airflow-providers-amazon (>=1.4.0 <=5.1.0)

apache-airflow-providers-amazon PYPI version =1.4.0, =0.2.3, =0.1.0, =0.1.0, =0.0.4, =0.0.0, =14.4.0, =0.0.1, =0.0.13 Source cves: CVE-2023-25956 Source advisory: OSV:GHSA-W695-P3J5-HRJ9...

Command Injection

apacheairflowprovidersapachehive is vulnerable to command injection. The vulnerability exists because parameters are not properly defined in hook but in connection definition allowing an attacker to inject and execute arbitrary commands...

OS Command Injection

apache-airflow-providers-apache-pinot is vulnerable to OS command injection. An attacker can inject and execute malicious commands through the self.cmdpath parameter in the init function of pinot.py as it does not properly hard code the pinot-admin.sh commands...