Lucene search
+L

109 matches found

redhatcve
redhatcve
added 2026/02/10 1:23 p.m.4 views

CVE-2026-24098

Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue...

6.5CVSS5.8AI score0.00739EPSS
Exploits0References1
nvd
nvd
added 2026/02/09 11:16 a.m.13 views

CVE-2026-24098

Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue...

6.5CVSS0.00739EPSS
Exploits0References3
vulnrichment
vulnrichment
added 2026/02/09 10:32 a.m.2 views

CVE-2026-24098 Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors

Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue...

5.8AI score0.00739EPSS
Exploits0References2
osv
osv
added 2026/02/09 10:32 a.m.5 views

CVE-2026-24098 Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors

Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue...

6.5CVSS6AI score0.00739EPSS
Exploits0References6
attackerkb
attackerkb
added 2026/02/09 10:32 a.m.6 views

CVE-2026-24098

Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue...

6.5CVSS5.8AI score0.00739EPSS
Exploits0References3Affected Software1
cnnvd
cnnvd
added 2026/02/09 12:0 a.m.6 views

Apache Airflow 安全漏洞

Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. This platform features scalability and dynamic monitoring capabilities. Prior to Apache Airflow 3.1.7, there were security...

6.5CVSS5.8AI score0.00739EPSS
Exploits0References4
ptsecurity
ptsecurity
added 2026/02/09 12:0 a.m.7 views

PT-2026-7103

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.1.7 Description Authenticated users of the Airflow user interface, with permissions to specific Dags, could view import errors generated by other Dags they were not authorized to access. Recommendations Upgra...

6.5CVSS5.3AI score0.00739EPSS
Exploits0References14
snyk
snyk
added 2025/10/30 12:31 p.m.6 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the exampledagdecorator function. An attacker can execute arbitrary commands on the worker by supplying a crafted parameter through the UI. Note: This is only exploitable if example DAGs are enabled in production o...

7.7CVSS8AI score0.00448EPSS
Exploits0References2
nvd
nvd
added 2025/10/30 10:15 a.m.12 views

CVE-2025-54941

An example dag exampledagdecorator had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production not default or the example dag code copied to build your own...

4.6CVSS0.00448EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2025/10/29 12:0 a.m.8 views

PT-2025-44367

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.0.5 Description A parameter in the example dag decorator dag was not properly validated, potentially allowing a user of the Airflow UI to redirect the example to a malicious server and execute code on a worke...

7.7CVSS6.1AI score0.00448EPSS
Exploits0References13
gitee
gitee
added 2025/09/06 12:42 p.m.109 views

Exploit for OS Command Injection in Apache Airflow

This is a proof-of-concept PoC exploit for CVE-2020-11978, a remote code execution RCE vulnerability in Apache Airflow's example DAGs. The exploit targets Airflow versions less than 1.10.11 and allows an attacker to execute arbitrary commands on the system. The exploit uses the Airflow Experiment...

8.8CVSS9.6AI score0.99118EPSS
Exploits9
osv
osv
added 2024/09/10 7:4 a.m.12 views

BIT-AIRFLOW-2024-45498 Apache Airflow: Command Injection in an example DAG

Example DAG: exampleinleteventextra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the...

8.8CVSS8.7AI score0.01237EPSS
Exploits0References4
osv
osv
added 2024/09/07 8:15 a.m.15 views

PYSEC-2024-266

Example DAG: exampleinleteventextra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the...

8.8CVSS6.1AI score0.01237EPSS
Exploits0References4
osv
osv
added 2024/03/06 10:57 a.m.27 views

BIT-AIRFLOW-2022-40127 Apache Airflow <2.4.0 has an RCE in a bash example

A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided runid parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0...

8.8CVSS8.8AI score0.85653EPSS
Exploits2References4
osv
osv
added 2024/03/06 10:52 a.m.23 views

BIT-AIRFLOW-2023-42780 Apache Airflow: Improper access control vulnerability in the "List dag warnings" feature

Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dagids and the stack-traces of import errors for those DAGs with import...

6.5CVSS6.2AI score0.01071EPSS
Exploits0References3
osv
osv
added 2024/02/29 12:31 p.m.3 views

GHSA-6V6W-H8M6-7MV2 Apache Airflow: DAG Code and Import Error Permissions Ignored

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk...

5.1CVSS6.3AI score0.00343EPSS
Exploits0References16
osv
osv
added 2024/02/29 11:15 a.m.5 views

PYSEC-2024-245

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk...

5.9CVSS6.3AI score0.00343EPSS
Exploits0References6
vulnrichment
vulnrichment
added 2024/01/24 12:58 p.m.12 views

CVE-2023-50944 Apache Airflow: Bypass permission verification to read code of other dags

Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version...

6.3AI score0.00971EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2024/01/24 12:0 a.m.7 views

PT-2024-1305 · Apache · Apache Airflow

Name of the Vulnerable Software and Affected Versions: Apache Airflow versions prior to 2.8.1 Description: The issue is related to a lack of authorization in Apache Airflow, allowing an authenticated user to access the source code of a DAG they do not have access to. This issue is considered low...

7.1CVSS7AI score0.00971EPSS
Exploits0References17
veracode
veracode
added 2023/12/22 5:27 a.m.20 views

Cross-Site Request Forgery (CSRF)

apacheairflow is vulnerable to Cross-Site Request Forgery. The vulnerability is due to the trigger function in views.py which accepts HTTP GET requests for triggering DAGs. An attacker can exploit this by creating a malicious website/URL that sends unauthorized GET requests to trigger DAGs in...

6.5CVSS6.8AI score0.01032EPSS
Exploits0References4Affected Software1
Rows per page
Query Builder