Lucene search
K

30 matches found

OSV
OSV
added 2026/04/15 12:22 a.m.4 views

CVE-2025-54550 Apache Airflow: RCE by race condition in example_xcom dag

The example examplexcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of code on the worker. Since the UI users are already highly...

8.1CVSS6.1AI score0.00579EPSS
Exploits0References6
Veracode
Veracode
added 2026/02/19 8:6 p.m.7 views

Command Injection

Apache Airflow is vulnerable to Command Injection. The vulnerability is due to a non-validated parameter in the exampledagdecorator example DAG, which allows an attacker to redirect execution to a malicious server and execute arbitrary code on a worker when example DAGs are enabled...

4.6CVSS6.3AI score0.00448EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2025/11/06 12:52 p.m.6 views

BIT-AIRFLOW-2025-54941 Apache Airflow: Command injection in "example_dag_decorator"

An example dag exampledagdecorator had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production not default or the example dag code copied to build your own...

4.6CVSS7.1AI score0.00448EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2025/10/31 10:10 a.m.14 views

CVE-2025-54941

An example dag exampledagdecorator had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production not default or the example dag code copied to build your own...

4.6CVSS7.3AI score0.00448EPSS
Exploits0References1
Snyk
Snyk
added 2025/10/30 12:31 p.m.6 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the exampledagdecorator function. An attacker can execute arbitrary commands on the worker by supplying a crafted parameter through the UI. Note: This is only exploitable if example DAGs are enabled in production o...

7.7CVSS8AI score0.00448EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2025/10/30 12:31 p.m.11 views

Apache Airflow has a command injection vulnerability in "example_dag_decorator"

An example dag exampledagdecorator had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production not default or the example dag code copied to build your own...

4.6CVSS7.4AI score0.00448EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2025/10/30 12:31 p.m.2 views

GHSA-V3C9-J6H9-66V4 Apache Airflow has a command injection vulnerability in "example_dag_decorator"

An example dag exampledagdecorator had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production not default or the example dag code copied to build your own...

7.7CVSS6AI score0.00448EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2025/10/30 9:45 a.m.3 views

CVE-2025-54941 Apache Airflow: Command injection in "example_dag_decorator"

An example dag exampledagdecorator had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production not default or the example dag code copied to build your own...

6.9AI score0.00448EPSS
Exploits0References1
CVE
CVE
added 2025/10/30 9:45 a.m.44 views

CVE-2025-54941

The CVE-2025-54941 issue affects Apache Airflow, specifically the example_dag_decorator parameter handling. A non-validated parameter in the example DAG allowed a UI user to redirect to a malicious server and execute code on a worker, but exploitation requires that example DAGs are enabled in pro...

4.6CVSS6.9AI score0.00448EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2025/10/30 9:45 a.m.11 views

CVE-2025-54941 Apache Airflow: Command injection in "example_dag_decorator"

An example dag exampledagdecorator had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production not default or the example dag code copied to build your own...

0.00448EPSS
Exploits0References1
OSV
OSV
added 2025/10/30 9:45 a.m.5 views

CVE-2025-54941 Apache Airflow: Command injection in "example_dag_decorator"

An example dag exampledagdecorator had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production not default or the example dag code copied to build your own...

4.6CVSS6.2AI score0.00448EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2025/10/29 12:0 a.m.7 views

PT-2025-44367

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.0.5 Description A parameter in the example dag decorator dag was not properly validated, potentially allowing a user of the Airflow UI to redirect the example to a malicious server and execute code on a worke...

7.7CVSS6.1AI score0.00448EPSS
Exploits0References13
RedhatCVE
RedhatCVE
added 2025/05/23 8:7 a.m.5 views

CVE-2024-45498

Example DAG: exampleinleteventextra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the...

8.8CVSS8.8AI score0.01237EPSS
Exploits0References1
OSV
OSV
added 2024/09/07 8:15 a.m.15 views

PYSEC-2024-266

Example DAG: exampleinleteventextra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the...

8.8CVSS6.1AI score0.01237EPSS
Exploits0References4
Cvelist
Cvelist
added 2024/09/07 7:43 a.m.66 views

CVE-2024-45498 Apache Airflow: Command Injection in an example DAG

Example DAG: exampleinleteventextra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the...

0.01237EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2024/09/07 7:43 a.m.24 views

CVE-2024-45498 Apache Airflow: Command Injection in an example DAG

Example DAG: exampleinleteventextra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the...

7.2AI score0.01237EPSS
Exploits0References2
CVE
CVE
added 2024/09/07 7:43 a.m.303 views

CVE-2024-45498

CVE-2024-45498 concerns the Apache Airflow project. The vulnerability affects the example DAG named example_inlet_event_extra.py shipped with Airflow 2.10.0, where an authenticated attacker with only DAG-trigger permissions can execute arbitrary commands. Multiple sources (NVD, Red Hat, VERACODE,...

8.8CVSS8.7AI score0.01237EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2024/03/06 11:1 a.m.27 views

BIT-AIRFLOW-2020-11978

An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler depending o...

8.8CVSS9.2AI score0.99118EPSS
Exploits9References5
Packet Storm
Packet Storm
added 2023/09/19 12:0 a.m.625 views

Apache Airflow 1.10.10 Remote Code Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Apache Airflow 1.10.10 - Example DAG Remote Code Execution', 'Description' = %q This module exploits an unauthenticated command injection...

9.8CVSS7.1AI score0.9967EPSS
Exploits10
GithubExploit
GithubExploit
added 2023/07/29 9:26 a.m.760 views

Exploit for Command Injection in Apache Airflow

Apache Airflow SQL injection PoC CVE-2023-22884 PoC for C...

9.8CVSS10AI score0.11082EPSS
Exploits2
Rows per page
Query Builder