3 matches found
CVE-2026-42252
Apache Airflow's official documentation at core-concepts/dag-run.html "Passing Parameters when triggering Dags" showed a verbatim BashOperatorbashcommand="echo value: dagrun.conf'conf1' " example without any quoting / sanitization warning. Dag authors who copied the pattern verbatim into...
GHSA-5R62-MJF5-XWHJ Apache Airflow Common SQL Provider Vulnerable to SQL Injection
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Apache Airflow Common SQL Provider. When using the partition clause in SQLTableCheckOperator as parameter which was a recommended pattern, Authenticated UI User could inject arbitrary SQL command...
CVE-2023-49920 Apache Airflow: Missing CSRF protection on DAG/trigger
Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the executi...