Lucene search
+L

561 matches found

ptsecurity
ptsecurity
added 2026/06/01 12:0 a.m.12 views

PT-2026-45977

Apache Airflow's scheduler-side deadline-reference decoder SerializedCustomReference.deserialize reference imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler —...

7.3CVSS6AI score
Exploits0References4
ptsecurity
ptsecurity
added 2026/06/01 12:0 a.m.12 views

PT-2026-45976

A bug in Apache Airflow's bulk Task Instances API PATCH/DELETE /api/v2/dags/dag id/dagRuns/dag run id/taskInstances evaluated authorization against the dag id resolved from the URL path while operating on the dag id / dag run id extracted from request-body entity fields. An authenticated UI/API...

7.5CVSS5.8AI score
Exploits0References4
ptsecurity
ptsecurity
added 2026/06/01 12:0 a.m.73 views

PT-2026-45368

Apache Airflow's official documentation at core-concepts/dag-run.html "Passing Parameters when triggering Dags" showed a verbatim BashOperatorbash command="echo value: dag run.conf'conf1' " example without any quoting / sanitization warning. Dag authors who copied the pattern verbatim into...

9.1CVSS5.8AI score0.00369EPSS
Exploits0References6
ptsecurity
ptsecurity
added 2026/06/01 12:0 a.m.25 views

PT-2026-45378

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.2.2 Description The Event Log detail endpoint "GET /api/v2/eventLogs/event log id" fetches audit-log rows directly by numeric ID after performing only a generic Audit Log permission check. This differs from t...

4.3CVSS5.4AI score0.00352EPSS
Exploits0References14
susecve
susecve
added 2026/05/29 1:20 a.m.13 views

SUSE CVE-2026-42328

go-ipld-prime is an implementation of the InterPlanetary Linked Data IPLD spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.23.0, the DAG-CBOR and DAG-JSON decoders recurse on each nested map or list...

6.2CVSS5.9AI score0.0012EPSS
Exploits0References3
snyk
snyk
added 2026/05/27 7:33 p.m.10 views

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion through the DAG-CBOR and DAG-JSON decoders. An attacker can cause a fatal stack overflow by submitting payloads with deeply nested collections. Remediation Upgrade github.com/ipld/go-ipld-prime/codec/dagcbor to...

6.9CVSS5.9AI score0.0012EPSS
Exploits0References2
euvd
euvd
added 2026/05/27 4:31 p.m.12 views

EUVD-2026-32581

go-ipld-prime is an implementation of the InterPlanetary Linked Data IPLD spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.23.0, the DAG-CBOR and DAG-JSON decoders recurse on each nested map or list...

6.2CVSS5.9AI score0.0012EPSS
Exploits0References1
cve
cve
added 2026/05/27 4:31 p.m.20 views

CVE-2026-42328

CVE-2026-42328 : go-ipld-prime prior to 0.23.0 had unbounded recursion in the DAG-CBOR and DAG-JSON decoders when processing deeply nested maps/lists. Each nesting level increases the goroutine stack, potentially causing a fatal stack overflow. The issue is resolved by a fix in version 0.23.0 . I...

6.2CVSS5.9AI score0.0012EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2026/05/27 4:31 p.m.15 views

CVE-2026-42328 go-ipld-prime: DAG-CBOR and DAG-JSON decoders unbounded recursion depth

go-ipld-prime is an implementation of the InterPlanetary Linked Data IPLD spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.23.0, the DAG-CBOR and DAG-JSON decoders recurse on each nested map or list...

6.2CVSS5.9AI score0.0012EPSS
Exploits0References1
cvelist
cvelist
added 2026/05/27 4:31 p.m.46 views

CVE-2026-42328 go-ipld-prime: DAG-CBOR and DAG-JSON decoders unbounded recursion depth

go-ipld-prime is an implementation of the InterPlanetary Linked Data IPLD spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.23.0, the DAG-CBOR and DAG-JSON decoders recurse on each nested map or list...

6.2CVSS0.0012EPSS
Exploits0References1
osv
osv
added 2026/05/27 4:31 p.m.3 views

CVE-2026-42328 go-ipld-prime: DAG-CBOR and DAG-JSON decoders unbounded recursion depth

go-ipld-prime is an implementation of the InterPlanetary Linked Data IPLD spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.23.0, the DAG-CBOR and DAG-JSON decoders recurse on each nested map or list...

6.2CVSS6AI score0.0012EPSS
Exploits0References3
cnnvd
cnnvd
added 2026/05/27 12:0 a.m.17 views

go-ipld-prime 安全漏洞

go-ipld-prime is an implementation of the IPLD open-source specification interface. Versions of go-ipld-prime prior to 0.23.0 contained security vulnerabilities. These vulnerabilities stemmed from the DAG-CBOR and DAG-JSON decoders having no depth limit when decoding nested mappings or lists, whi...

6.2CVSS5.8AI score0.0012EPSS
Exploits0References2
redhatcve
redhatcve
added 2026/05/15 7:57 p.m.14 views

CVE-2026-42572

Hatchet is a platform for orchestrating background tasks, AI agents, and durable workflows at scale. Prior to 0.83.39, a missing authorization directive on the GET /api/v1/stable/dags/tasks endpoint caused Hatchet's tenant-membership check to be skipped for this route. A user authenticated to any...

6.5CVSS5.8AI score0.00181EPSS
Exploits0References1
cnnvd
cnnvd
added 2026/05/14 12:0 a.m.15 views

hatchet 安全漏洞

Hatchet is an open-source backend task and AI workflow orchestration engine developed by Hatchet. Versions of Hatchet prior to 0.83.39 contained security vulnerabilities. These vulnerabilities stemmed from the lack of authorization instructions for the GET /api/v1/stable/dags/tasks endpoint,...

6.5CVSS5.8AI score0.00181EPSS
Exploits0References2
osv
osv
added 2026/05/07 2:7 a.m.22 views

GHSA-W239-58X2-Q8P5 go-ipld-prime's DAG-CBOR and DAG-JSON decoders have unbounded recursion depth

The DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow distinct fr...

6.2CVSS6AI score0.0012EPSS
Exploits0References3
github
github
added 2026/05/07 2:7 a.m.17 views

go-ipld-prime's DAG-CBOR and DAG-JSON decoders have unbounded recursion depth

The DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow distinct fr...

6.2CVSS6AI score0.0012EPSS
Exploits0References3Affected Software1
snyk
snyk
added 2026/05/06 9:59 p.m.10 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the GET /api/v1/stable/dags/tasks endpoint via improper tenant checks in the listTasksByDAGIds function. An attacker can access sensitive task metadata belonging to other tenants by...

6.5CVSS5.8AI score0.00181EPSS
Exploits0References2
osv
osv
added 2026/05/06 9:59 p.m.32 views

GHSA-55GC-6FMC-FPX9 Hatchet affected by cross-tenant information disclosure in `listTasksByDAGIds`

Summary A missing authorization directive on the GET /api/v1/stable/dags/tasks endpoint caused Hatchet's tenant-membership check to be skipped for this route. A user authenticated to any tenant on the same Hatchet instance could query the endpoint with another tenant's UUID and a DAG UUID belongi...

5.3CVSS5.9AI score0.00181EPSS
Exploits0References3
osv
osv
added 2026/04/28 8:40 a.m.9 views

BIT-AIRFLOW-2026-40690 Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users

The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope. Users are...

4.3CVSS5.3AI score0.00352EPSS
Exploits0References4
osv
osv
added 2026/04/28 8:39 a.m.4 views

BIT-AIRFLOW-2026-38743 Apache Airflow: Dags endpoint might provide access to otherwise inaccessible entities

The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop HITL and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts including their request parameters and full TaskInstance details for DA...

4.3CVSS5.3AI score0.00352EPSS
Exploits0References4
Rows per page
Query Builder