CVE-2024-27906

CVE-2024-27906 affects Apache Airflow versions before 2.8.2. The published docs describe a vulnerability where authenticated users can view DAG code and import errors for DAGs they should not be allowed to view via the API and the UI. The primary impact is information disclosure of DAG contents a...

CVE-2020-13927

Apache Airflow CVE-2020-13927: An authentication bypass existed in the Experimental API where unauthenticated requests could be processed by default in older Airflow versions. The issue was mitigated by changing the default from allowing all API requests to denying them by default starting with A...

CVE-2020-11978

Apache Airflow CVE-2020-11978 affects Airflow 1.10.10 and earlier in one of the shipped example DAGs, enabling remote command execution. The root cause is a command-injection vulnerability in the example DAGs, which could allow an authenticated user to run arbitrary commands as the user running t...

CVE-2021-28359

Technical details for CVE-2021-28359 are not present in the provided documents. Public sources in Connected Documents do not specify affected products/versions or fixes. Monitor for updates.

CVE-2024-39877

Summary: CVE-2024-39877 affects Apache Airflow 2.4.0 and all versions before 2.9.3. Affected component is the doc_md parameter that authenticated DAG authors can craft to cause arbitrary code execution in the scheduler context. This is described across multiple sources (NVD, OSV entries, GHSA adv...

CVE-2024-41937

The CVE concerns Apache Airflow versions before 2.10.0, where a stored XSS vulnerability exists in the provider link workflow. If a malicious provider is installed on the web server, a user who clicks a provider documentation link can trigger script execution, enabling an attacker to perform a cr...

CVE-2024-45034

CVE-2024-45034 affects Apache Airflow versions before 2.10.1. The vulnerability lets DAG authors put local settings in the DAG folder that get executed by the scheduler, which should not run code submitted by DAG authors. Red Hat and OSV entries confirm the issue and point to a fix in 2.10.1 or l...

CVE-2024-25142

CVE-2024-25142 : The issue is in Apache Airflow where dynamic content did not return the Cache-Control header, potentially allowing browsers to store sensitive data in local cache. Affected version: Airflow prior to 2.9.2. The available connected documents confirm the root cause (missing Cache-Co...

CVE-2024-45498

CVE-2024-45498 concerns the Apache Airflow project. The vulnerability affects the example DAG named example_inlet_event_extra.py shipped with Airflow 2.10.0, where an authenticated attacker with only DAG-trigger permissions can execute arbitrary commands. Multiple sources (NVD, Red Hat, VERACODE,...

CVE-2024-50378

This CVE (CVE-2024-50378) affects Apache Airflow versions before 2.10.3. The root cause is that when sensitive variables are set via the Airflow CLI, their values were written to audit logs and stored unencrypted in the Airflow database, making them accessible to authenticated users with audit lo...

CVE-2024-39863

CVE-2024-39863 affects Apache Airflow up to version 2.9.3 prior to the fix. An authenticated attacker can inject a malicious link during provider installation. Users should upgrade to Airflow 2.9.3 to remediate. Other connected sources corroborate the vulnerability in the same version range and d...

CVE-2022-24288

CVE-2022-24288 affects Apache Airflow prior to 2.2.4, where some example DAGs did not properly sanitize user-provided parameters in the web UI, enabling OS command injection. Connected documents confirm an OS command injection vulnerability in affected DAGs (e.g., example_passing_params_via_test_...

CVE-2023-40611

Apache Airflow vulnerable before 2.7.1: authenticated DAG-view users can modify DAG run detail values when submitting notes (e.g., configuration, start date). Root cause relates to broken access control around DAG runs. A fix exists in 2.7.1 and later; upgrade to 2.7.1+ to remove the vulnerabilit...

CVE-2023-36543

CVE-2023-36543 affects Apache Airflow prior to 2.6.3. An authenticated user can submit crafted input that causes the current request to hang, effectively a DoS condition. The public records consistently state the impact as a hang of the current request with no other confidentiality/integrity impa...

CVE-2023-45348

CVE-2023-45348 affects Apache Airflow (versions 2.7.0 and 2.7.1). The issue is an information leakage where an authenticated user can retrieve sensitive configuration data when the expose_config option is set to non-sensitive-only (default is False). The vulnerability specifically concerns access...

CVE-2024-31869

The CVE affects Apache Airflow 2.7.0–2.8.4, where an authenticated user can view sensitive provider configuration on the configuration UI if webserver.expose_config is set to non-sensitive-only; the Celery provider is noted as having sensitive configurations. Impact is information disclosure via ...

CVE-2023-42792

CVE-2023-42792 (Apache Airflow) affects Airflow versions prior to 2.7.2. An authenticated user with limited access to some DAGs can craft a request to gain write access to DAG resources for DAGs they should not access, enabling them to clear those DAGs. Root cause described as improper access con...

CVE-2020-11981

CVE-2020-11981 affects Apache Airflow versions 1.10.10 and earlier when using CeleryExecutor with direct access to the broker (Redis or RabbitMQ). The underlying issue allows an attacker who can connect to the broker to inject commands, enabling the celery worker to run arbitrary commands and pot...

CVE-2021-45229

The CVE-2021-45229 entry describes a reflected XSS in Apache Airflow: the Trigger DAG with config screen is vulnerable to XSS via the origin URL parameter, affecting Airflow 2.2.3 and earlier. The root cause is insufficient input handling for the origin parameter that can inject script into the b...

CVE-2021-29621

The vulnerability is in Flask-AppBuilder (a Flask-based development framework). A user-enumeration flaw exists in the database authentication flow, where an unauthenticated user can infer existing accounts by measuring login response timing. Affected versions are Flask-AppBuilder

CVE-2022-40127

Apache Airflow before 2.4.0 is vulnerable to remote code execution via the run_id parameter on UI-triggered DAGs. The issue affects the Example Dags component and is triggered by manipulating run_id to execute arbitrary commands. Public references describe RCE on Airflow

CVE-2020-17526

Apache Airflow Webserver prior to version 1.10.14 with the default [webserver] secret_key allows an authenticated user on one site to access an unauthorized Webserver session on another site via session validation bypass. Affected component is the Webserver authentication mechanism; root cause is...

CVE-2022-41672

In Apache Airflow, CVE-2022-41672 affects versions prior to 2.4.1, where deactivating a user does not prevent an already authenticated user from continuing to use the UI or API. The NVD entry lists a high impact (CVSS v3.1 base score 8.1) with privileges required: low and no user interaction, ind...

CVE-2023-40712

CVE-2023-40712 affects Apache Airflow prior to 2.7.1. Authenticated users with UI access can craft a URL to view task/dag details, potentially unmasking secret task configuration that is normally masked in the UI. Impact is information exposure with high confidentiality impact as per the CVE; no ...

CVE-2021-38540

Affected software: Apache Airflow 2.x, specifically >=2.0.0 and

CVE-2020-13944

The vulnerability described as CVE-2020-13944 affects Apache Airflow via a Cross‑Site Scripting (XSS) flaw in the origin parameter for some endpoints (notably /trigger) in older Airflow releases. Connected advisories reiter that the issue occurs in <1.10.12 (and related

CVE-2023-46215

CVE-2023-46215 affects Apache Airflow and its Celery provider. The issue is that sensitive information is logged in clear text when using rediss, amqp, or rpc protocols as the Celery result backend. Affected versions: Airflow Celery provider 3.3.0–3.4.0 and Apache Airflow 1.10.0–2.6.3. Impact is ...

CVE-2022-38170

CVE-2022-38170 affects Apache Airflow prior to 2.3.4. The issue is an insecure daemon umask applied to numerous Airflow components, causing a race condition that can create world-writable files in the Airflow home directory. This allows local users to expose arbitrary file contents via the webser...

CVE-2023-22884

CVE-2023-22884 affects Apache Airflow (core) and the Apache Airflow MySQL Provider, with the vulnerability stemming from improper neutralization of input in the LOAD DATA LOCAL INFILE flow, enabling Command Injection. Reported affected versions: Airflow before 2.5.1 and MySQL Provider before 4.0....

CVE-2022-38054

Apache Airflow 2.2.4–2.3.3 is affected by a session fixation vulnerability in the database webserver session backend. The issue is documented across multiple sources (e.g., CVE-2022-38054, GHSA-5FF8-7639-6V6G, BIT-AIRFLOW-2022-38054) with high impact as per CVSS metrics. The provided Connected do...

CVE-2023-46288

CVE-2023-46288 affects Apache Airflow (versions 2.4.0–2.7.0) where sensitive configuration data could be read by authenticated users via the REST API when expose_config allows non-sensitive values. The issue is due to configuration exposure even when expose_config is set to non-sensitive-only; ve...

CVE-2022-27949

CVE-2022-27949 affects Apache Airflow (UI) prior to 2.3.1. The issue allows viewing unmasked secrets in rendered template values for tasks that were not executed (e.g., tasks dependent on past/failed instances). Root cause details are not elaborated beyond the vulnerability description in the con...

CVE-2022-45402

CVE-2022-45402 affects Apache Airflow versions prior to 2.4.3, which have an open redirect in the webserver’s /login endpoint. The root cause is an open redirect via the login parameter (e.g., next), enabling unvalidated redirects that could be used for phishing. The vulnerability is documented w...

CVE-2023-39441

Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by a certificate validation weakness in the OpenSSL-based SSL context. The default SSL context did not verify server X.509 certificates, allowing an attacker in a MIT...

CVE-2024-26280

Apache Airflow prior to 2.8.2 has an information-disclosure issue where authenticated Ops and Viewers can see audit-log contents (e.g., dag names, usernames not visible to them). Version 2.8.2+ fixes default audit-log permissions (Ops/Viewers no longer have access by default; admins retain access...

CVE-2020-11982

CVE-2020-11982 affects Apache Airflow

CVE-2020-17515

The CVE-2020-17515 issue is an XSS vulnerability in the Apache Airflow “origin” parameter (e.g., in /trigger). The root cause is an unpatched origin parameter allowing reflected/scriptable input. Public details indicate affected versions include Airflow releases prior to the patched point (initia...

CVE-2022-38649

CVE-2022-38649 describes an OS command injection vulnerability in the Apache Airflow Pinot Provider. The issue arises from improper neutralization of special elements when constructing OS commands, enabling an attacker to control commands executed in the task execution context without requiring D...

CVE-2022-40189

CVE-2022-40189 describes an OS command injection in the Apache Airflow Pig Provider. The root cause is improper neutralization of special elements used in OS commands, allowing an attacker to control commands executed in the task execution context. Affected are Pig Provider versions prior to 4.0....

CVE-2020-11983

CVE-2020-11983 affects Apache Airflow versions 1.10.10 and earlier, where the RBAC UI admin screens mishandle escaping, enabling authenticated users with necessary permissions to perform stored XSS. The issue arises from improper input escaping in admin management screens of the new/RBAC UI, allo...

CVE-2022-41131

The CVE-2022-41131 issue is an OS command injection in the Apache Airflow Hive Provider. Vulnerable components: Hive Provider versions prior to 4.1.0, and Airflow versions prior to 2.3.0 if the Hive Provider is installed. Root cause is improper neutralization of special elements in OS commands, a...

CVE-2023-42663

CVE-2023-42663 concerns Apache Airflow before 2.7.2, where an authorized user with access to some DAGs can read information about task instances in other DAGs, causing information disclosure across DAG boundaries. This is described across multiple sources as a permission-verification bypass expos...

CVE-2021-26559

CVE-2021-26559 describes an improper access control on the Stable API Configurations Endpoint in Apache Airflow, allowing users with Viewer or User roles to retrieve Airflow configurations (including sensitive data) even when webserver configuration [webserver] expose_config is set to False. Affe...

CVE-2023-47037

Apache Airflow (versions before 2.7.3) is affected by a Broken Access Control vulnerability tracked as CVE-2023-47037. The issue allows authenticated DAG-view authorized users to modify DAG run detail values (e.g., configuration parameters, start date) when submitting notes. The underlying proble...

CVE-2019-0229

The CVE-2019-0229 entry concerns cross-site request forgery (CSRF) in the Airflow webserver. The affected surface is multiple HTTP endpoints in both the RBAC and classic Airflow webservers, where protections against CSRF are insufficient. Root cause cited across connected sources is lack of adequ...

CVE-2020-9485

CVE-2020-9485 is a stored XSS issue affecting Apache Airflow 1.10.10 and earlier, specifically in the Chart pages of the classic UI. The vulnerability is the result of unvalidated input being reflected in the UI, enabling an attacker to inject script via the affected chart rendering. The provided...

CVE-2022-40954

The CVE-2022-40954 issue is an OS Command Injection in the Apache Airflow Spark Provider that lets an attacker read arbitrary files in the task execution context without file write access to DAGs. Affected products: Spark Provider versions prior to 4.0.0 and Airflow versions prior to 2.3.0 when t...

CVE-2019-12417

CVE-2019-12417 affects Apache Airflow. A malicious admin user could edit the state of objects in the Airflow metadata database, triggering arbitrary JavaScript execution on affected page views (cross-site scripting). The same action also enables a Local File Disclosure to access files readable by...

CVE-2020-17513

Apache Airflow versions prior to 1.10.13 expose a Server-Side Request Forgery (SSRF) vulnerability in the old Flask-admin UI, specifically the Charts and Query View. The issue is described as SSRF in the Chart/Query View of the legacy UI, without details on exploit vectors, affected subcomponents...

CVE-2021-26697

CVE-2021-26697 affects Apache Airflow 2.0.0: the lineage endpoint of the deprecated Experimental API is not protected by authentication, allowing unauthenticated access to metadata about a DAG and its tasks. This is described as a low-severity issue with a low attack surface, requiring the attack...