Lucene search
K
ApacheAirflow

137 matches found

CVE
CVE
added 2024/02/29 11:2 a.m.2720 views

CVE-2024-27906

CVE-2024-27906 affects Apache Airflow versions before 2.8.2. The published docs describe a vulnerability where authenticated users can view DAG code and import errors for DAGs they should not be allowed to view via the API and the UI. The primary impact is information disclosure of DAG contents a...

5.9CVSS5.5AI score0.00343EPSS
CVE
CVE
added 2020/11/10 12:0 a.m.1167 views

CVE-2020-13927

Apache Airflow CVE-2020-13927: An authentication bypass existed in the Experimental API where unauthenticated requests could be processed by default in older Airflow versions. The issue was mitigated by changing the default from allowing all API requests to denying them by default starting with A...

9.8CVSS9.2AI score0.997EPSS
In wildWeb
CVE
CVE
added 2020/07/16 12:0 a.m.1102 views

CVE-2020-11978

Apache Airflow CVE-2020-11978 affects Airflow 1.10.10 and earlier in one of the shipped example DAGs, enabling remote command execution. The root cause is a command-injection vulnerability in the example DAGs, which could allow an authenticated user to run arbitrary commands as the user running t...

8.8CVSS9.1AI score0.99118EPSS
In wildWeb
CVE
CVE
added 2021/05/02 7:55 a.m.906 views

CVE-2021-28359

Technical details for CVE-2021-28359 are not present in the provided documents. Public sources in Connected Documents do not specify affected products/versions or fixes. Monitor for updates.

6.1CVSS7.1AI score0.14389EPSS
Web
CVE
CVE
added 2024/07/17 7:54 a.m.325 views

CVE-2024-39877

Summary: CVE-2024-39877 affects Apache Airflow 2.4.0 and all versions before 2.9.3. Affected component is the doc_md parameter that authenticated DAG authors can craft to cause arbitrary code execution in the scheduler context. This is described across multiple sources (NVD, OSV entries, GHSA adv...

8.8CVSS8.8AI score0.01726EPSS
CVE
CVE
added 2024/08/21 3:31 p.m.311 views

CVE-2024-41937

The CVE concerns Apache Airflow versions before 2.10.0, where a stored XSS vulnerability exists in the provider link workflow. If a malicious provider is installed on the web server, a user who clicks a provider documentation link can trigger script execution, enabling an attacker to perform a cr...

6.1CVSS6.1AI score0.01804EPSS
CVE
CVE
added 2024/09/07 7:45 a.m.306 views

CVE-2024-45034

CVE-2024-45034 affects Apache Airflow versions before 2.10.1. The vulnerability lets DAG authors put local settings in the DAG folder that get executed by the scheduler, which should not run code submitted by DAG authors. Red Hat and OSV entries confirm the issue and point to a fix in 2.10.1 or l...

8.8CVSS8.7AI score0.01688EPSS
CVE
CVE
added 2024/06/14 8:25 a.m.303 views

CVE-2024-25142

CVE-2024-25142 : The issue is in Apache Airflow where dynamic content did not return the Cache-Control header, potentially allowing browsers to store sensitive data in local cache. Affected version: Airflow prior to 2.9.2. The available connected documents confirm the root cause (missing Cache-Co...

5.5CVSS6.3AI score0.00318EPSS
CVE
CVE
added 2024/09/07 7:43 a.m.302 views

CVE-2024-45498

CVE-2024-45498 concerns the Apache Airflow project. The vulnerability affects the example DAG named example_inlet_event_extra.py shipped with Airflow 2.10.0, where an authenticated attacker with only DAG-trigger permissions can execute arbitrary commands. Multiple sources (NVD, Red Hat, VERACODE,...

8.8CVSS8.7AI score0.01237EPSS
CVE
CVE
added 2024/11/08 2:37 p.m.300 views

CVE-2024-50378

This CVE (CVE-2024-50378) affects Apache Airflow versions before 2.10.3. The root cause is that when sensitive variables are set via the Airflow CLI, their values were written to audit logs and stored unencrypted in the Airflow database, making them accessible to authenticated users with audit lo...

4.9CVSS4.9AI score0.01201EPSS
CVE
CVE
added 2024/07/17 7:53 a.m.291 views

CVE-2024-39863

CVE-2024-39863 affects Apache Airflow up to version 2.9.3 prior to the fix. An authenticated attacker can inject a malicious link during provider installation. Users should upgrade to Airflow 2.9.3 to remediate. Other connected sources corroborate the vulnerability in the same version range and d...

8.1CVSS5.2AI score0.00996EPSS
CVE
CVE
added 2022/02/25 8:30 a.m.161 views

CVE-2022-24288

CVE-2022-24288 affects Apache Airflow prior to 2.2.4, where some example DAGs did not properly sanitize user-provided parameters in the web UI, enabling OS command injection. Connected documents confirm an OS command injection vulnerability in affected DAGs (e.g., example_passing_params_via_test_...

8.8CVSS8.8AI score0.7788EPSS
CVE
CVE
added 2023/09/12 11:5 a.m.152 views

CVE-2023-40611

Apache Airflow vulnerable before 2.7.1: authenticated DAG-view users can modify DAG run detail values when submitting notes (e.g., configuration, start date). Root cause relates to broken access control around DAG runs. A fix exists in 2.7.1 and later; upgrade to 2.7.1+ to remove the vulnerabilit...

4.3CVSS4.7AI score0.01305EPSS
CVE
CVE
added 2023/07/12 9:17 a.m.149 views

CVE-2023-36543

CVE-2023-36543 affects Apache Airflow prior to 2.6.3. An authenticated user can submit crafted input that causes the current request to hang, effectively a DoS condition. The public records consistently state the impact as a hang of the current request with no other confidentiality/integrity impa...

6.5CVSS6.2AI score0.01157EPSS
CVE
CVE
added 2023/10/14 9:46 a.m.146 views

CVE-2023-45348

CVE-2023-45348 affects Apache Airflow (versions 2.7.0 and 2.7.1). The issue is an information leakage where an authenticated user can retrieve sensitive configuration data when the expose_config option is set to non-sensitive-only (default is False). The vulnerability specifically concerns access...

4.3CVSS4.2AI score0.01232EPSS
CVE
CVE
added 2024/04/18 7:19 a.m.136 views

CVE-2024-31869

The CVE affects Apache Airflow 2.7.0–2.8.4, where an authenticated user can view sensitive provider configuration on the configuration UI if webserver.expose_config is set to non-sensitive-only; the Celery provider is noted as having sensitive configurations. Impact is information disclosure via ...

5.3CVSS4.2AI score0.01049EPSS
CVE
CVE
added 2023/10/14 9:47 a.m.134 views

CVE-2023-42792

CVE-2023-42792 (Apache Airflow) affects Airflow versions prior to 2.7.2. An authenticated user with limited access to some DAGs can craft a request to gain write access to DAG resources for DAGs they should not access, enabling them to clear those DAGs. Root cause described as improper access con...

6.5CVSS5.2AI score0.01433EPSS
CVE
CVE
added 2020/07/16 11:21 p.m.132 views

CVE-2020-11981

CVE-2020-11981 affects Apache Airflow versions 1.10.10 and earlier when using CeleryExecutor with direct access to the broker (Redis or RabbitMQ). The underlying issue allows an attacker who can connect to the broker to inject commands, enabling the celery worker to run arbitrary commands and pot...

9.8CVSS9.3AI score0.3398EPSS
CVE
CVE
added 2020/12/21 4:45 p.m.129 views

CVE-2020-17526

Apache Airflow Webserver prior to version 1.10.14 with the default [webserver] secret_key allows an authenticated user on one site to access an unauthorized Webserver session on another site via session validation bypass. Affected component is the Webserver authentication mechanism; root cause is...

7.7CVSS7.4AI score0.23336EPSS
CVE
CVE
added 2021/06/07 7:0 p.m.129 views

CVE-2021-29621

The vulnerability is in Flask-AppBuilder (a Flask-based development framework). A user-enumeration flaw exists in the database authentication flow, where an unauthenticated user can infer existing accounts by measuring login response timing. Affected versions are Flask-AppBuilder

5.3CVSS5.2AI score0.03404EPSS
CVE
CVE
added 2023/10/14 9:47 a.m.129 views

CVE-2023-42663

CVE-2023-42663 concerns Apache Airflow before 2.7.2, where an authorized user with access to some DAGs can read information about task instances in other DAGs, causing information disclosure across DAG boundaries. This is described across multiple sources as a permission-verification bypass expos...

6.5CVSS6.1AI score0.01551EPSS
CVE
CVE
added 2022/02/25 8:30 a.m.128 views

CVE-2021-45229

The CVE-2021-45229 entry describes a reflected XSS in Apache Airflow: the Trigger DAG with config screen is vulnerable to XSS via the origin URL parameter, affecting Airflow 2.2.3 and earlier. The root cause is insufficient input handling for the origin parameter that can inject script into the b...

6.1CVSS6AI score0.02561EPSS
CVE
CVE
added 2022/11/14 12:0 a.m.127 views

CVE-2022-40127

Apache Airflow before 2.4.0 is vulnerable to remote code execution via the run_id parameter on UI-triggered DAGs. The issue affects the Example Dags component and is triggered by manipulating run_id to execute arbitrary commands. Public references describe RCE on Airflow

8.8CVSS8.8AI score0.85653EPSS
CVE
CVE
added 2021/09/09 3:5 p.m.125 views

CVE-2021-38540

Affected software: Apache Airflow 2.x, specifically >=2.0.0 and

9.8CVSS9.8AI score0.80938EPSS
Web
CVE
CVE
added 2023/09/12 11:5 a.m.125 views

CVE-2023-40712

CVE-2023-40712 affects Apache Airflow prior to 2.7.1. Authenticated users with UI access can craft a URL to view task/dag details, potentially unmasking secret task configuration that is normally masked in the UI. Impact is information exposure with high confidentiality impact as per the CVE; no ...

6.5CVSS6.4AI score0.01476EPSS
CVE
CVE
added 2022/10/07 12:0 a.m.124 views

CVE-2022-41672

In Apache Airflow, CVE-2022-41672 affects versions prior to 2.4.1, where deactivating a user does not prevent an already authenticated user from continuing to use the UI or API. The NVD entry lists a high impact (CVSS v3.1 base score 8.1) with privileges required: low and no user interaction, ind...

8.1CVSS7.9AI score0.01197EPSS
CVE
CVE
added 2023/01/21 1:2 p.m.113 views

CVE-2023-22884

CVE-2023-22884 affects Apache Airflow (core) and the Apache Airflow MySQL Provider, with the vulnerability stemming from improper neutralization of input in the LOAD DATA LOCAL INFILE flow, enabling Command Injection. Reported affected versions: Airflow before 2.5.1 and MySQL Provider before 4.0....

9.8CVSS9.5AI score0.11082EPSS
CVE
CVE
added 2023/10/28 7:10 a.m.112 views

CVE-2023-46215

CVE-2023-46215 affects Apache Airflow and its Celery provider. The issue is that sensitive information is logged in clear text when using rediss, amqp, or rpc protocols as the Celery result backend. Affected versions: Airflow Celery provider 3.3.0–3.4.0 and Apache Airflow 1.10.0–2.6.3. Impact is ...

7.5CVSS7.3AI score0.01203EPSS
CVE
CVE
added 2020/09/17 2:1 p.m.111 views

CVE-2020-13944

The vulnerability described as CVE-2020-13944 affects Apache Airflow via a Cross‑Site Scripting (XSS) flaw in the origin parameter for some endpoints (notably /trigger) in older Airflow releases. Connected advisories reiter that the issue occurs in <1.10.12 (and related

6.1CVSS5.8AI score0.25076EPSS
CVE
CVE
added 2022/09/02 7:10 a.m.110 views

CVE-2022-38170

CVE-2022-38170 affects Apache Airflow prior to 2.3.4. The issue is an insecure daemon umask applied to numerous Airflow components, causing a race condition that can create world-writable files in the Airflow home directory. This allows local users to expose arbitrary file contents via the webser...

4.7CVSS4.6AI score0.00593EPSS
CVE
CVE
added 2024/03/01 11:5 a.m.110 views

CVE-2024-26280

Apache Airflow prior to 2.8.2 has an information-disclosure issue where authenticated Ops and Viewers can see audit-log contents (e.g., dag names, usernames not visible to them). Version 2.8.2+ fixes default audit-log permissions (Ops/Viewers no longer have access by default; admins retain access...

4.7CVSS4.4AI score0.01856EPSS
CVE
CVE
added 2026/04/18 6:20 a.m.109 views

CVE-2026-30898

CVE-2026-30898 concerns Apache Airflow where BashOperator usage documented in DAGs could pass dag_run.conf unsafely, enabling UI user privileges to execute code on workers. The issue arises from an example that could escalate privileges via shell injection-like behavior. The connected OSV entry c...

8.8CVSS5.9AI score0.00771EPSS
CVE
CVE
added 2023/10/23 6:13 p.m.108 views

CVE-2023-46288

CVE-2023-46288 affects Apache Airflow (versions 2.4.0–2.7.0) where sensitive configuration data could be read by authenticated users via the REST API when expose_config allows non-sensitive values. The issue is due to configuration exposure even when expose_config is set to non-sensitive-only; ve...

4.3CVSS4.2AI score0.01416EPSS
CVE
CVE
added 2022/11/14 12:0 a.m.107 views

CVE-2022-27949

CVE-2022-27949 affects Apache Airflow (UI) prior to 2.3.1. The issue allows viewing unmasked secrets in rendered template values for tasks that were not executed (e.g., tasks dependent on past/failed instances). Root cause details are not elaborated beyond the vulnerability description in the con...

7.5CVSS7.4AI score0.0168EPSS
CVE
CVE
added 2022/09/02 7:10 a.m.107 views

CVE-2022-38054

Apache Airflow 2.2.4–2.3.3 is affected by a session fixation vulnerability in the database webserver session backend. The issue is documented across multiple sources (e.g., CVE-2022-38054, GHSA-5FF8-7639-6V6G, BIT-AIRFLOW-2022-38054) with high impact as per CVSS metrics. The provided Connected do...

9.8CVSS9.4AI score0.01881EPSS
CVE
CVE
added 2022/11/22 12:0 a.m.106 views

CVE-2022-38649

CVE-2022-38649 describes an OS command injection vulnerability in the Apache Airflow Pinot Provider. The issue arises from improper neutralization of special elements when constructing OS commands, enabling an attacker to control commands executed in the task execution context without requiring D...

9.8CVSS9.7AI score0.03228EPSS
CVE
CVE
added 2023/08/23 3:39 p.m.105 views

CVE-2023-39441

Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by a certificate validation weakness in the OpenSSL-based SSL context. The default SSL context did not verify server X.509 certificates, allowing an attacker in a MIT...

5.9CVSS5.5AI score0.00594EPSS
CVE
CVE
added 2022/11/15 12:0 a.m.104 views

CVE-2022-45402

CVE-2022-45402 affects Apache Airflow versions prior to 2.4.3, which have an open redirect in the webserver’s /login endpoint. The root cause is an open redirect via the login parameter (e.g., next), enabling unvalidated redirects that could be used for phishing. The vulnerability is documented w...

6.1CVSS6AI score0.81836EPSS
CVE
CVE
added 2020/07/16 11:21 p.m.103 views

CVE-2020-11982

CVE-2020-11982 affects Apache Airflow

9.8CVSS9.4AI score0.07225EPSS
CVE
CVE
added 2020/12/11 1:40 p.m.102 views

CVE-2020-17515

The CVE-2020-17515 issue is an XSS vulnerability in the Apache Airflow “origin” parameter (e.g., in /trigger). The root cause is an unpatched origin parameter allowing reflected/scriptable input. Public details indicate affected versions include Airflow releases prior to the patched point (initia...

6.1CVSS5.9AI score0.16028EPSS
CVE
CVE
added 2022/11/22 12:0 a.m.102 views

CVE-2022-40189

CVE-2022-40189 describes an OS command injection in the Apache Airflow Pig Provider. The root cause is improper neutralization of special elements used in OS commands, allowing an attacker to control commands executed in the task execution context. Affected are Pig Provider versions prior to 4.0....

9.8CVSS9.7AI score0.03944EPSS
CVE
CVE
added 2020/07/16 11:21 p.m.100 views

CVE-2020-11983

CVE-2020-11983 affects Apache Airflow versions 1.10.10 and earlier, where the RBAC UI admin screens mishandle escaping, enabling authenticated users with necessary permissions to perform stored XSS. The issue arises from improper input escaping in admin management screens of the new/RBAC UI, allo...

5.4CVSS5AI score0.01251EPSS
CVE
CVE
added 2022/11/22 12:0 a.m.99 views

CVE-2022-41131

The CVE-2022-41131 issue is an OS command injection in the Apache Airflow Hive Provider. Vulnerable components: Hive Provider versions prior to 4.1.0, and Airflow versions prior to 2.3.0 if the Hive Provider is installed. Root cause is improper neutralization of special elements in OS commands, a...

7.8CVSS7.9AI score0.01753EPSS
CVE
CVE
added 2023/08/05 6:47 a.m.96 views

CVE-2023-39508

The CVE-2023-39508 issue affects Apache Airflow prior to 2.6.0, where the Run Task feature could be exploited by an authenticated user to execute code in the webserver context and bypass DAG access restrictions, exposing sensitive information and potentially impacting confidentiality, integrity, ...

8.8CVSS8.8AI score0.0236EPSS
CVE
CVE
added 2021/02/17 2:15 p.m.95 views

CVE-2021-26559

CVE-2021-26559 describes an improper access control on the Stable API Configurations Endpoint in Apache Airflow, allowing users with Viewer or User roles to retrieve Airflow configurations (including sensitive data) even when webserver configuration [webserver] expose_config is set to False. Affe...

6.5CVSS6.4AI score0.02805EPSS
CVE
CVE
added 2023/07/12 9:14 a.m.95 views

CVE-2023-22887

CVE-2023-22887 affects Apache Airflow versions before 2.6.3. The issue enables an authenticated attacker to perform unauthorized file access outside the intended directory by manipulating the run_id parameter (path traversal). The vulnerability is described as low impact since exploitation requir...

6.5CVSS6.1AI score0.01874EPSS
CVE
CVE
added 2023/11/12 1:12 p.m.95 views

CVE-2023-47037

Apache Airflow (versions before 2.7.3) is affected by a Broken Access Control vulnerability tracked as CVE-2023-47037. The issue allows authenticated DAG-view authorized users to modify DAG run detail values (e.g., configuration parameters, start date) when submitting notes. The underlying proble...

4.3CVSS4.6AI score0.01497EPSS
CVE
CVE
added 2022/09/21 7:25 a.m.94 views

CVE-2022-40604

CVE-2022-40604 affects Apache Airflow 2.3.0–2.3.4. A component of a URL was unnecessarily formatted, enabling information disclosure from a formatted URL. Multiple sources (NVD, OSV entries, and third‑party advisories) corroborate a format-string/vulnerability in the URL handling path (notably in...

7.5CVSS7.4AI score0.01573EPSS
CVE
CVE
added 2022/11/22 12:0 a.m.94 views

CVE-2022-40954

The CVE-2022-40954 issue is an OS Command Injection in the Apache Airflow Spark Provider that lets an attacker read arbitrary files in the task execution context without file write access to DAGs. Affected products: Spark Provider versions prior to 4.0.0 and Airflow versions prior to 2.3.0 when t...

5.5CVSS5.5AI score0.01383EPSS
CVE
CVE
added 2019/10/30 9:4 p.m.92 views

CVE-2019-12417

CVE-2019-12417 affects Apache Airflow. A malicious admin user could edit the state of objects in the Airflow metadata database, triggering arbitrary JavaScript execution on affected page views (cross-site scripting). The same action also enables a Local File Disclosure to access files readable by...

4.8CVSS5.5AI score0.01345EPSS
Total number of security vulnerabilities137