27 matches found
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the bulk Task Instances API PATCH/DELETE /api/v2/dags/dagid/dagRuns/dagrunid/taskInstances that evaluates authorization against the dagid resolved from the URL path while operating on...
PYSEC-2026-183
A bug in Apache Airflow's bulk Task Instances API PATCH/DELETE /api/v2/dags/dagid/dagRuns/dagrunid/taskInstances evaluated authorization against the dagid resolved from the URL path while operating on the dagid / dagrunid extracted from request-body entity fields. An authenticated UI/API user wit...
PYSEC-0000-CVE-2026-41084
A bug in Apache Airflow's bulk Task Instances API PATCH/DELETE /api/v2/dags/dagid/dagRuns/dagrunid/taskInstances evaluated authorization against the dagid resolved from the URL path while operating on the dagid / dagrunid extracted from request-body entity fields. An authenticated UI/API user wit...
PYSEC-2026-183
A bug in Apache Airflow's bulk Task Instances API PATCH/DELETE /api/v2/dags/dagid/dagRuns/dagrunid/taskInstances evaluated authorization against the dagid resolved from the URL path while operating on the dagid / dagrunid extracted from request-body entity fields. An authenticated UI/API user wit...
CVE-2026-41084
A bug in Apache Airflow's bulk Task Instances API PATCH/DELETE /api/v2/dags/dagid/dagRuns/dagrunid/taskInstances evaluated authorization against the dagid resolved from the URL path while operating on the dagid / dagrunid extracted from request-body entity fields. An authenticated UI/API user wit...
CVE-2026-41084
A bug in Apache Airflow's bulk Task Instances API PATCH/DELETE /api/v2/dags/dagid/dagRuns/dagrunid/taskInstances evaluated authorization against the dagid resolved from the URL path while operating on the dagid / dagrunid extracted from request-body entity fields. An authenticated UI/API user wit...
CVE-2026-41084
CVE-2026-41084: Apache Airflow bug in the bulk Task Instances API (PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances) evaluated authorization from the URL dag_id while operating on dag_id/dag_run_id from the request body. An authenticated user with edit permission on one Dag c...
EUVD-2026-33592
A bug in Apache Airflow's bulk Task Instances API PATCH/DELETE /api/v2/dags/dagid/dagRuns/dagrunid/taskInstances evaluated authorization against the dagid resolved from the URL path while operating on the dagid / dagrunid extracted from request-body entity fields. An authenticated UI/API user wit...
PT-2026-45976
A bug in Apache Airflow's bulk Task Instances API PATCH/DELETE /api/v2/dags/dag id/dagRuns/dag run id/taskInstances evaluated authorization against the dag id resolved from the URL path while operating on the dag id / dag run id extracted from request-body entity fields. An authenticated UI/API...
PT-2026-45367
Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.2.2 Description A bug in the bulk Task Instances API allows an authenticated UI or API user to bypass authorization and mutate Task Instance states across different DAGs. The system evaluates authorization...
Apache Airflow Security Bypass Vulnerability (CNVD-2026-15157)
Apache Airflow is the United States Apache Apache Foundation's set of open source platform with the creation, management and monitoring of workflow functions. The platform is scalable and dynamic monitoring and other features. Apache Airflow suffers from a security bypass vulnerability that stems...
BIT-AIRFLOW-2023-42663 Apache Airflow: Bypass permission verification to view task instances of other dags
Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated wit...
Missing Authorization
Apache Airflow is vulnerable to Missing Authorization. The vulnerability is due to a lack of validation while authorizing users to read DAGs. A user with read permission to specific DAGs can read task instances of other DAGs...
Security feature bypass
Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. This is a different issue than CVE-2023-42663 but leading to similar outcome. Users of Apache Airflow are...
PYSEC-2023-231
Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. This is a different issue than CVE-2023-42663 but leading to similar outcome.Users of Apache Airflow are...
CVE-2023-42781 Apache Airflow: Permission verification bypass allows viewing dagruns of other dags
Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. This is a different issue than CVE-2023-42663 but leading to similar outcome. Users of Apache Airflow are...
CVE-2023-42781
CVE-2023-42781 affects Apache Airflow up to versions before 2.7.3 . The issue allows an authorized user (with access to read specific DAGs) to view information about task instances in other DAGs . This is a cross-DAG information disclosure vulnerability rather than a code execution flaw. Mitigati...
PT-2023-6909 · Apache · Apache Airflow
Name of the Vulnerable Software and Affected Versions: Apache Airflow versions prior to 2.7.3 Description: The issue is related to insufficient protection of internal data in Apache Airflow, allowing an authorized user with limited access to read specific DAGs to also read information about task...
BIT-2023-42663
Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs.Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with...
Information Disclosure
Apache Airflow is vulnerable to Information Disclosure. The vulnerability is due to an improper access control mechanism which allows an authorized user with read access to specific Directed Acyclic Graphs DAGS to access information about task instances in other DAGs...