BIT-AIRFLOW-2026-40861 Apache Airflow: Arbitrary File Read via Log Symlink following in FileTaskHandler

A Dag author could either a create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process read-path attack — e.g. /etc/passwd or airflow.cfg or b supply a taskid containing .. sequences accepted by the Task SDK's KEYREGEX write-path attack, and...

Arbitrary File Read via Log Symlink following in FileTaskHandler

This report is not public...

Improper Preservation Of Permissions

Apache Airflow is vulnerable to Improper Preservation of Permissions. This vulnerability is caused due to Airflow's local file task handler incorrectly setting permissions for parent folders of the log folder, potentially granting unintended group write access...

Apache Airflow Security Bypass Vulnerability (CNVD-2024-26538)

Apache Airflow is the United States Apache Apache Foundation's set of open source platform for creating, managing and monitoring workflow. The platform is scalable and dynamic monitoring and other characteristics. A security bypass vulnerability exists in Apache Airflow versions 2.8.2 through 2.8...

GHSA-CFF3-5QRP-HQX7 Apache Airflow Improper Preservation of Permissions vulnerability

Improper Preservation of Permissions vulnerability in Apache Airflow. This issue affects Apache Airflow from 2.8.2 through 2.8.3. Airflow's local file task handler in Airflow incorrectly set permissions for all parent folders of log folder, in default configuration adding write access to Unix...

CVE-2024-29735

CVE-2024-29735 affects Apache Airflow (versions 2.8.2–2.8.3) due to the local file task handler incorrectly setting permissions on parent folders of the log directory, potentially granting group write access. The issue can impact log storage paths, and, if the home directory becomes group-writabl...

CVE-2024-29735 Apache Airflow: Potentially harmful permission changing by log task handler

Improper Preservation of Permissions vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.8.2 through 2.8.3. Airflow's local file task handler in Airflow incorrectly set permissions for all parent folders of log folder, in default configuration adding write access to Unix...

PT-2024-2708 · Apache · Apache Airflow

Name of the Vulnerable Software and Affected Versions: Apache Airflow versions 2.8.2 through 2.8.3 Description: The issue is related to improper preservation of permissions in Apache Airflow, which can allow a remote attacker to gain write access to arbitrary files in the file system. This is due...