61119 matches found
airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +37 more potentially affected by CVE-2026-34538 via apache-airflow (>=3.0.0 <=3.1.8)
apache-airflow PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =3.12.0rc1 and more Source cves: CVE-2026-34538 Source advisory: OSV:GHSA-R7VR-M4JW-R794...
GHSA-3CJC-VHFM-FFP2 Apache DolphinScheduler vulnerable to sensitive information disclosure
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler. This vulnerability may allow unauthorized actors to access sensitive information, including database credentials. This issue affects Apache DolphinScheduler versions 3.1.. Users are...
GHSA-R7VR-M4JW-R794 Apache Airflow has an authorization bypass in DagRun wait endpoint
Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with the security mode...
airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +37 more potentially affected by CVE-2025-57735 via apache-airflow-core (>=3.0.0rc2 <=3.2.0)
apache-airflow-core PYPI version =3.0.0rc2, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0rc3, =1.6.0, =1.5.3, =1.25.0rc1, =3.12.0, =3.12.0rc1 and more Source cves: CVE-2025-57735 Source advisory: SNYK:PYTHON-APACHEAIRFLOWCORE-15954280...
CVE-2025-57735
CVE-2025-57735 affects Airflow where a JWT token used to authenticate a user was not invalidated at logout. The provided sources indicate that Airflow 3.2 introduced a logout token-invalidation mechanism, and upgrading to Airflow 3.2.0 or newer fixes the issue. The CVSS vector in the initial desc...
CVE-2025-57735 Apache Airflow: Airflow Logout Not Invalidating JWT
When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario...
PYSEC-2026-21
Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with the security mode...
airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +37 more potentially affected by CVE-2026-34538 via apache-airflow (>=3.0.0 <=3.1.8)
apache-airflow PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =3.12.0rc1 and more Source cves: CVE-2026-34538 Source advisory: OSV:PYSEC-2026-21...
CVE-2025-62188
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler. This vulnerability may allow unauthorized actors to access sensitive information, including database credentials. This issue affects Apache DolphinScheduler versions 3.1.. Users are...
airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +37 more potentially affected by CVE-2026-34538 via apache-airflow-core (>=3.0.0rc2 <=3.2.0b2)
apache-airflow-core PYPI version =3.0.0rc2, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0rc3, =1.6.0, =1.5.3, =1.25.0rc1, =3.12.0, =3.12.0rc1 and more Source cves: CVE-2026-34538 Source advisory: SNYK:PYTHON-APACHEAIRFLOWCORE-15954288...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization through the waitdagrununtilfinished handler in airflow-core/src/airflow/apifastapi/coreapi/routes/public/dagrun.py. An attacker can read task result values by sending a GET request to the DAG run wait endpoint with...
CVE-2025-62188 Apache DolphinScheduler: Users can access sensitive information through the actuator endpoint.
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler. This vulnerability may allow unauthorized actors to access sensitive information, including database credentials. This issue affects Apache DolphinScheduler versions 3.1.. Users are...
CVE-2026-34538 Apache Airflow: Authorization bypass in DagRun wait endpoint (XCom exposure)
Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with the security mode...
CVE-2026-23903 vulnerabilities
Vulnerabilities for packages: apache-activemq-fips, apache-activemq...
GHSA-C244-P6M5-VQJ6 vulnerabilities
Vulnerabilities for packages: apache-activemq-fips, apache-activemq...
CLEANSTART-2026-IJ23041 In libexpat before 2
Multiple security vulnerabilities affect the apache-zookeeper package. In libexpat before 2. See references for individual vulnerability details...
CLEANSTART-2026-UV97144 In libexpat before 2
Multiple security vulnerabilities affect the apache-zookeeper package. In libexpat before 2. See references for individual vulnerability details...
CLEANSTART-2026-MW52739 Security fixes for ghsa-72hv-8253-57qq, ghsa-qqpg-mvqg-649v applied in versions: 3.9.4-r0, 3.9.4-r6
Multiple security vulnerabilities affect the apache-zookeeper package. These issues are resolved in later releases. See references for individual vulnerability details...
CLEANSTART-2026-KI25096 Security fixes for ghsa-72hv-8253-57qq applied in versions: 3.8.6-r0
Security vulnerability affects the apache-zookeeper package. This issue is resolved in later releases. See references for vulnerability details...
CLEANSTART-2026-GY86690 Security fixes for ghsa-72hv-8253-57qq applied in versions: 3.6.4-r4
Security vulnerability affects the apache-zookeeper package. This issue is resolved in later releases. See references for vulnerability details...