Lucene search
K

2069 matches found

vulnersOsv
vulnersOsv
added 2026/06/01 9:16 a.m.10 views

acryl-datahub-airflow-plugin (>=0.8.35.6 <=1.7.0.1rc1), acryl-datahub-airflow-plugin-hcc-patched (>=1.4.0.3.post1 <=1.4.0.3.post2) +464 more potentially affected by CVE-2026-42360 via apache-airflow-task-sdk (>=1.0.0 <=1.2.2)

apache-airflow-task-sdk PYPI version =1.0.0, =0.8.35.6, =1.4.0.3.post1, =1.0.0, =0.0.9.2, =0.1.0rc0, =0.1.0, =0.1.2, =1.0.1, =0.1.0, =1.0.0, =0.0.1, =0.0.5 and more Source cves: CVE-2026-42360 Source advisory: SNYK:PYTHON-APACHEAIRFLOWTASKSDK-17131176...

6.5CVSS5.7AI score0.00335EPSS
Exploits0
PyPA
PyPA
added 2026/06/01 9:16 a.m.13 views

PYSEC-2026-172

A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking e.g. nested password / token / secret / apikey keys inside a JSON template structure to be bypassed when the rendered field exceeded core maxtemplatedfieldlength: Airflow stringified the structure befor...

7.5CVSS5.8AI score0.00586EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/06/01 9:16 a.m.9 views

Insertion of Sensitive Information Into Sent Data

Overview apache-airflow-task-sdk is a The Apache Airflow Task SDK includes interfaces for Dag authors and Task execution logic for Python. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the handling of rendered template fields when the...

7.1CVSS5.9AI score0.00335EPSS
Exploits0References4
PyPA
PyPA
added 2026/06/01 9:16 a.m.13 views

PYSEC-2026-186

Apache Airflow's scheduler-side deadline-reference decoder SerializedCustomReference.deserializereference imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — t...

7.3CVSS6AI score0.00651EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/06/01 9:16 a.m.8 views

PYSEC-2026-182

The partitioneddagruns endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to...

4.3CVSS5.8AI score0.00352EPSS
Exploits0References3
vulnersOsv
vulnersOsv
added 2026/06/01 9:16 a.m.6 views

apache-airflow-core (>=3.2.0 <=3.2.1), apache-airflow-providers-google (=5.0.0) +10 more potentially affected by CVE-2026-33858 +1 more via apache-airflow (>=3.2.0 <=3.2.1rc3)

apache-airflow PYPI version =3.2.0, =3.2.0, =1.2.0, =13.0.2, =7.2.0, =1.18.3, =1.4.2, =2.1.1, =1.10.3, =1.41.2, =1.28.2, =5.6.2, =5.7.17 Source cves: CVE-2026-33858, CVE-2026-42359 Source advisory: OSV:PYSEC-2026-185...

8.8CVSS5.7AI score0.00592EPSS
Exploits0
OSV
OSV
added 2026/06/01 9:16 a.m.8 views

PYSEC-2026-183

A bug in Apache Airflow's bulk Task Instances API PATCH/DELETE /api/v2/dags/dagid/dagRuns/dagrunid/taskInstances evaluated authorization against the dagid resolved from the URL path while operating on the dagid / dagrunid extracted from request-body entity fields. An authenticated UI/API user wit...

7.5CVSS5.8AI score0.00458EPSS
Exploits0References3
PyPA
PyPA
added 2026/06/01 9:16 a.m.12 views

PYSEC-2026-183

A bug in Apache Airflow's bulk Task Instances API PATCH/DELETE /api/v2/dags/dagid/dagRuns/dagrunid/taskInstances evaluated authorization against the dagid resolved from the URL path while operating on the dagid / dagrunid extracted from request-body entity fields. An authenticated UI/API user wit...

7.5CVSS5.8AI score0.00458EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2026/06/01 9:16 a.m.9 views

PYSEC-0000-CVE-2026-41084

A bug in Apache Airflow's bulk Task Instances API PATCH/DELETE /api/v2/dags/dagid/dagRuns/dagrunid/taskInstances evaluated authorization against the dagid resolved from the URL path while operating on the dagid / dagrunid extracted from request-body entity fields. An authenticated UI/API user wit...

7.5CVSS5.8AI score0.00458EPSS
Exploits0References3Affected Software1
vulnersOsv
vulnersOsv
added 2026/06/01 9:16 a.m.10 views

apache-airflow-core (>=3.2.0 <=3.2.1), apache-airflow-providers-google (=5.0.0) +10 more potentially affected by CVE-2026-41014 via apache-airflow (>=3.2.0 <=3.2.1rc3)

apache-airflow PYPI version =3.2.0, =3.2.0, =1.2.0, =13.0.2, =7.2.0, =1.18.3, =1.4.2, =2.1.1, =1.10.3, =1.41.2, =1.28.2, =5.6.2, =5.7.17 Source cves: CVE-2026-41014 Source advisory: OSV:PYSEC-2026-182...

4.3CVSS5.7AI score0.00352EPSS
Exploits0
PyPA
PyPA
added 2026/06/01 9:16 a.m.11 views

PYSEC-0000-CVE-2026-41017

Apache Airflow's JWTRefreshMiddleware set the JWT auth cookie without the Secure flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy e.g. nginx / Envoy / a managed load balancer that terminates TLS and forwards plaintext to the API server, the default...

5.9CVSS5.9AI score0.00265EPSS
Exploits0References3Affected Software1
vulnersOsv
vulnersOsv
added 2026/06/01 9:16 a.m.6 views

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +40 more potentially affected by CVE-2026-42252 via apache-airflow (>=3.0.0 <=3.2.1rc3)

apache-airflow PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =0.2.0, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =1.28.0rc1 and more Source cves: CVE-2026-42252 Source advisory: OSV:PYSEC-2026-184...

9.1CVSS5.7AI score0.00369EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/06/01 9:16 a.m.6 views

acryl-datahub-airflow-plugin (>=0.8.35.6 <=1.7.0.1rc1), acryl-datahub-airflow-plugin-hcc-patched (>=1.4.0.3.post1 <=1.4.0.3.post2) +464 more potentially affected by CVE-2026-41017 via apache-airflow-core (>=3.0.0 <=3.2.2)

apache-airflow-core PYPI version =3.0.0, =0.8.35.6, =1.4.0.3.post1, =1.0.0, =0.0.9.2, =0.1.0rc0, =0.1.0, =0.1.2, =1.0.1, =0.1.0, =1.0.0, =0.0.1, =0.0.5 and more Source cves: CVE-2026-41017 Source advisory: SNYK:PYTHON-APACHEAIRFLOWCORE-17132622...

5.9CVSS5.7AI score0.00265EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/06/01 9:16 a.m.7 views

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +40 more potentially affected by CVE-2026-41017 via apache-airflow (>=3.0.0 <=3.2.1rc3)

apache-airflow PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =0.2.0, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =1.28.0rc1 and more Source cves: CVE-2026-41017 Source advisory: OSV:PYSEC-2026-171...

5.9CVSS5.7AI score0.00265EPSS
Exploits0
PyPA
PyPA
added 2026/06/01 9:16 a.m.9 views

PYSEC-2026-184

Apache Airflow's official documentation at core-concepts/dag-run.html "Passing Parameters when triggering Dags" showed a verbatim BashOperatorbashcommand="echo value: dagrun.conf'conf1' " example without any quoting / sanitization warning. Dag authors who copied the pattern verbatim into...

9.1CVSS5.8AI score0.00369EPSS
Exploits0References2Affected Software1
vulnersOsv
vulnersOsv
added 2026/06/01 8:16 a.m.8 views

acryl-datahub-airflow-plugin (>=0.8.35.6 <=1.7.0.1rc1), acryl-datahub-airflow-plugin-hcc-patched (>=1.4.0.3.post1 <=1.4.0.3.post2) +464 more potentially affected by CVE-2026-45192 via apache-airflow-core (>=3.0.0 <=3.2.2)

apache-airflow-core PYPI version =3.0.0, =0.8.35.6, =1.4.0.3.post1, =1.0.0, =0.0.9.2, =0.1.0rc0, =0.1.0, =0.1.2, =1.0.1, =0.1.0, =1.0.0, =0.0.1, =0.0.5 and more Source cves: CVE-2026-45192 Source advisory: SNYK:PYTHON-APACHEAIRFLOWCORE-17132595...

6.5CVSS5.7AI score0.0041EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/06/01 8:16 a.m.5 views

abi-ds-utils (=1.0.1), acceldata-o2a (=1.0.0) +164 more potentially affected by CVE-2026-45192 via apache-airflow (>=1.8.2 <=3.2.1rc3)

apache-airflow PYPI version =1.8.2, =0.8.44.4, =1.4.0.3.post4, =1.4.0.3.post3, =0.1.0rc3, =0.1.0, =0.2.1, =0.2.9b1, =0.4.0, =0.1.0a1, =0.6.0, =1.6.0 and more Source cves: CVE-2026-45192 Source advisory: OSV:PYSEC-2026-173...

6.5CVSS5.7AI score0.0041EPSS
Exploits0
PyPA
PyPA
added 2026/06/01 8:16 a.m.12 views

PYSEC-2026-173

A bug in the GET /api/v2/connections/connectionid REST API endpoint in Apache Airflow allowed an authenticated UI/API user with Connection-read permission to retrieve secrets stored in a Connection's extra JSON blob under field names not present in the redaction allowlist DEFAULTSENSITIVEFIELDS —...

6.5CVSS5.8AI score0.0041EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2026/06/01 8:16 a.m.17 views

CVE-2026-45192

A bug in the GET /api/v2/connections/connectionid REST API endpoint in Apache Airflow allowed an authenticated UI/API user with Connection-read permission to retrieve secrets stored in a Connection's extra JSON blob under field names not present in the redaction allowlist DEFAULTSENSITIVEFIELDS —...

6.5CVSS0.0041EPSS
Exploits0References3
vulnersOsv
vulnersOsv
added 2026/06/01 8:16 a.m.8 views

acryl-datahub-airflow-plugin (>=0.8.35.6 <=1.7.0.1rc1), acryl-datahub-airflow-plugin-hcc-patched (>=1.4.0.3.post1 <=1.4.0.3.post2) +464 more potentially affected by CVE-2026-45192 via apache-airflow-task-sdk (>=1.0.0 <=1.2.2)

apache-airflow-task-sdk PYPI version =1.0.0, =0.8.35.6, =1.4.0.3.post1, =1.0.0, =0.0.9.2, =0.1.0rc0, =0.1.0, =0.1.2, =1.0.1, =0.1.0, =1.0.0, =0.0.1, =0.0.5 and more Source cves: CVE-2026-45192 Source advisory: SNYK:PYTHON-APACHEAIRFLOWTASKSDK-17132596...

6.5CVSS5.7AI score0.0041EPSS
Exploits0
Rows per page
Query Builder