Lucene search
K
ApacheAirflow

143 matches found

CVE
CVE
added 2023/07/12 9:14 a.m.95 views

CVE-2023-22887

CVE-2023-22887 affects Apache Airflow versions before 2.6.3. The issue enables an authenticated attacker to perform unauthorized file access outside the intended directory by manipulating the run_id parameter (path traversal). The vulnerability is described as low impact since exploitation requir...

6.5CVSS6.1AI score0.01874EPSS
CVE
CVE
added 2020/12/14 9:40 a.m.93 views

CVE-2020-17513

Apache Airflow versions prior to 1.10.13 expose a Server-Side Request Forgery (SSRF) vulnerability in the old Flask-admin UI, specifically the Charts and Query View. The issue is described as SSRF in the Chart/Query View of the legacy UI, without details on exploit vectors, affected subcomponents...

5.3CVSS5.5AI score0.04325EPSS
CVE
CVE
added 2023/10/14 9:46 a.m.93 views

CVE-2023-42780

Apache Airflow vulnerability CVE-2023-42780 affects versions prior to 2.7.2. Authenticated users can list warnings for all DAGs, even if they lack permission to view those DAGs, exposing dag_ids and import-error stack traces. Impact is information disclosure of non-authorized DAG metadata; no exp...

6.5CVSS6.2AI score0.01071EPSS
CVE
CVE
added 2019/04/10 7:51 p.m.92 views

CVE-2019-0229

The CVE-2019-0229 entry concerns cross-site request forgery (CSRF) in the Airflow webserver. The affected surface is multiple HTTP endpoints in both the RBAC and classic Airflow webservers, where protections against CSRF are insufficient. Root cause cited across connected sources is lack of adequ...

8.8CVSS8.7AI score0.01563EPSS
CVE
CVE
added 2026/04/18 6:20 a.m.92 views

CVE-2026-25917

Apache Airflow CVE-2026-25917 involves API extra-links enabling crafted XCom payloads that can lead to webserver code execution via XCom deserialization/class instantiation. Affected component is the Airflow webserver’s handling of XCom; root cause described as deserialization/instantiation of pa...

7.2CVSS6AI score0.00822EPSS
CVE
CVE
added 2020/07/16 11:21 p.m.91 views

CVE-2020-9485

CVE-2020-9485 is a stored XSS issue affecting Apache Airflow 1.10.10 and earlier, specifically in the Chart pages of the classic UI. The vulnerability is the result of unvalidated input being reflected in the UI, enabling an attacker to inject script via the affected chart rendering. The provided...

6.1CVSS5.8AI score0.01965EPSS
CVE
CVE
added 2021/02/17 2:15 p.m.91 views

CVE-2021-26697

CVE-2021-26697 affects Apache Airflow 2.0.0: the lineage endpoint of the deprecated Experimental API is not protected by authentication, allowing unauthenticated access to metadata about a DAG and its tasks. This is described as a low-severity issue with a low attack surface, requiring the attack...

5.3CVSS5.2AI score0.04555EPSS
CVE
CVE
added 2022/11/02 12:0 a.m.90 views

CVE-2022-43985

In Apache Airflow, versions prior to 2.4.2 contain an open redirect in the webserver’s /confirm endpoint. Affected component is the Airflow webserver; root cause is an open redirect path in /confirm. The practical impact is an open redirect vulnerability (no exploitation details provided in the s...

6.1CVSS6AI score0.01494EPSS
CVE
CVE
added 2024/01/24 12:57 p.m.90 views

CVE-2023-50943

Apache Airflow before 2.8.1 is affected by a pickle-deserialization issue in XComs. By bypassing the enable_xcom_pickling=False protection, an attacker could poison XCom data during deserialization, with impact described as data integrity risk. The vulnerability affects Airflow versions prior to ...

7.5CVSS7.3AI score0.0121EPSS
CVE
CVE
added 2023/05/08 11:57 a.m.89 views

CVE-2023-25754

Apache Airflow prior to 2.6.0 is affected by a Privilege Context Switching Error that can allow a local Linux user to read sensitive files (e.g., SSH keys) by abusing insecure log file permissions. The issue is described as a privilege escalation via log handling. A fix is available in Airflow 2....

9.8CVSS9.4AI score0.0228EPSS
CVE
CVE
added 2023/05/08 9:1 a.m.88 views

CVE-2023-29247

CVE-2023-29247 corresponds to a stored XSS in Apache Airflow’s Task instance details page, affecting versions prior to 2.6.0. Several connected sources (NVD, OSV entries, CNVD, GHSA, CNVD) converge on: vulnerable component is the UI rendering of task instance details; root cause is improper handl...

5.4CVSS5.2AI score0.01911EPSS
CVE
CVE
added 2023/08/23 3:37 p.m.88 views

CVE-2023-40273

CVE-2023-40273 : A session fixation vulnerability in Apache Airflow allowed authenticated users to continue accessing the web UI after a password reset. In the database session backend, existing sessions are invalidated when a user’s password is reset; in the securecookie backend, sessions are no...

8CVSS7.7AI score0.01366EPSS
CVE
CVE
added 2024/03/14 8:41 a.m.88 views

CVE-2024-28746

CVE-2024-28746 affects Apache Airflow versions 2.8.0–2.8.2. The issue allows an authenticated user with limited permissions to access resources (e.g., variables, connections) from the UI that they should not access, constituting an information disclosure vulnerability. The cited connected documen...

8.1CVSS7.9AI score0.01332EPSS
CVE
CVE
added 2019/04/10 7:52 p.m.87 views

CVE-2019-0216

CVE-2019-0216 affects Apache Airflow where a malicious admin user could edit the state of objects in the Airflow metadata database, causing stored cross-site scripting by injecting arbitrary JavaScript on certain web views. The vulnerability arises from how the web interface renders or handles da...

4.8CVSS5.5AI score0.02767EPSS
CVE
CVE
added 2023/03/15 9:37 a.m.87 views

CVE-2023-25695

CVE-2023-25695 affects Apache Airflow prior to 2.5.2 and is an information-disclosure vulnerability caused by error messages that can contain sensitive data. The related advisories note that tracebacks may reveal details (e.g., Python/Airflow version, node name) to users, potentially aiding targe...

5.3CVSS5.2AI score0.01382EPSS
CVE
CVE
added 2023/08/23 3:38 p.m.87 views

CVE-2023-37379

CVE-2023-37379 affects Apache Airflow versions prior to 2.7.0. An authenticated user with Connection edit privileges can access connection information and abuse the test connection feature by sending many requests, causing a DoS condition on the server and enabling potentially harmful connections...

8.1CVSS7.8AI score0.01488EPSS
CVE
CVE
added 2021/08/16 7:25 a.m.86 views

CVE-2021-35936

Apache Airflow CVE-2021-35936 affects versions older than 2.1.2. When remote logging is not used, the worker (CeleryExecutor) or the scheduler (LocalExecutor) spins up a Flask logging server that binds to 0.0.0.0 on a specific port and lacks authentication, allowing reads of DAG job log files. Th...

5.3CVSS5.7AI score0.04022EPSS
CVE
CVE
added 2024/03/26 4:52 p.m.86 views

CVE-2024-29735

CVE-2024-29735 affects Apache Airflow (versions 2.8.2–2.8.3) due to the local file task handler incorrectly setting permissions on parent folders of the log directory, potentially granting group write access. The issue can impact log storage paths, and, if the home directory becomes group-writabl...

5.3CVSS5.1AI score0.0146EPSS
CVE
CVE
added 2022/11/02 12:0 a.m.85 views

CVE-2022-43982

CVE-2022-43982 (Apache Airflow) refers to a cross-site scripting vulnerability in versions prior to 2.4.2, where the Trigger DAG with config screen is vulnerable to XSS via the origin query parameter. The issue arises in the web UI when user-supplied data in origin is reflected back, potentially ...

6.1CVSS5.9AI score0.01435EPSS
CVE
CVE
added 2019/01/23 5:0 p.m.84 views

CVE-2017-15720

CVE-2017-15720 affects Apache Airflow 1.8.2 and earlier. An authenticated user can trigger remote code execution on the Airflow webserver by creating a specially crafted object. Reported in multiple feeds (NVD, GHSA, OSV, CNVD/CVE records), the exposure is described as remote code execution with ...

8.8CVSS8.6AI score0.02044EPSS
CVE
CVE
added 2020/12/14 9:40 a.m.84 views

CVE-2020-17511

CVE-2020-17511 affects Apache Airflow versions prior to 1.10.13. The vulnerability arises when creating a user (via airflow CLI) or a connection with a password field, causing the password to be logged in plaintext in the Log table in the Airflow metadata database. This issue is consistently desc...

6.5CVSS6.3AI score0.02537EPSS
CVE
CVE
added 2023/11/12 1:14 p.m.84 views

CVE-2023-42781

CVE-2023-42781 affects Apache Airflow up to versions before 2.7.3 . The issue allows an authorized user (with access to read specific DAGs) to view information about task instances in other DAGs . This is a cross-DAG information disclosure vulnerability rather than a code execution flaw. Mitigati...

6.5CVSS6.2AI score0.01657EPSS
CVE
CVE
added 2024/01/24 12:58 p.m.84 views

CVE-2023-50944

CVE-2023-50944 affects Apache Airflow prior to 2.8.1. An authenticated user can access the source code of a DAG to which they do not have access, resulting in information disclosure. The vulnerability is described as low severity (CVSS 3.1 base score 6.5) due to the need for authentication. No ex...

6.5CVSS6.3AI score0.00971EPSS
CVE
CVE
added 2019/01/23 5:0 p.m.83 views

CVE-2017-17835

CVE-2017-17835 affects Apache Airflow 1.8.2 and earlier. The vulnerability is described as a CSRF flaw that allowed remote command injection on a default Airflow install. The connected documents corroborate the CSRF/vector and the potential for command execution, but do not provide exploitation d...

8.8CVSS8.9AI score0.01295EPSS
CVE
CVE
added 2019/01/23 5:0 p.m.82 views

CVE-2017-17836

In Apache Airflow 1.8.2 and earlier, an experimental feature exposed authenticated cookies and passwords to databases used by Airflow. The vulnerability allows an attacker with limited access to Airflow—e.g., via XSS or an unlocked machine—to exfiltrate credentials from the system. Documented ref...

9.8CVSS9AI score0.02166EPSS
CVE
CVE
added 2022/01/20 10:25 a.m.81 views

CVE-2021-45230

CVE-2021-45230 affects Apache Airflow prior to 2.2.0. The issue arises when a user with can_create on DAG Runs can create Dag Runs for DAGs where they do not have edit permissions, implying insufficient DAG-level permission checks in the web interface. The connected OSV and CVE references corrobo...

6.5CVSS6.3AI score0.01709EPSS
CVE
CVE
added 2022/09/21 7:25 a.m.81 views

CVE-2022-40754

Summary: CVE-2022-40754 affects Apache Airflow 2.3.0–2.3.4, describing an open redirect in the webserver’s /confirm endpoint. The root cause is an open redirect vulnerability that could enable attackers to lead users to a malicious site via an apparently legitimate URL. No exploitation details or...

6.1CVSS6.1AI score0.01452EPSS
CVE
CVE
added 2024/05/14 10:43 a.m.79 views

CVE-2024-32077

CVE-2024-32077 concerns Apache Airflow 2.9.0 with a cross-site scripting (XSS) vulnerability in Task Instance Log/Log Details. An authenticated attacker can inject malicious data into task instance logs due to insufficient input handling, leading to XSS when logs are viewed. The affected product ...

5.4CVSS5.2AI score0.01559EPSS
CVE
CVE
added 2019/01/23 5:0 p.m.78 views

CVE-2018-20245

CVE-2018-20245 affects Apache Airflow versions prior to 1.10.1, where the LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) had improper exception handling that disabled server certificate checking. This misconfiguration enables potential Man‑in‑the‑Middle risks against LDAP connections...

7.5CVSS7.4AI score0.01016EPSS
CVE
CVE
added 2020/01/14 4:28 p.m.77 views

CVE-2019-12398

Apache Airflow prior to 1.10.5 with the classic UI is affected. A malicious admin can modify object state in the Airflow metadata database to execute arbitrary JavaScript on certain page views (XSS). The RBAC UI is unaffected. Exploitation details and concrete fixes are not provided in the suppli...

4.8CVSS5.5AI score0.01871EPSS
CVE
CVE
added 2023/07/12 9:14 a.m.77 views

CVE-2023-35908

CVE-2023-35908 affects Apache Airflow, versions before 2.6.3. The vulnerability allows unauthorized read access to a DAG through the URL (i.e., an access control issue). The documented remediation is to upgrade to a version that is not affected (2.6.3 or later). Other details on exploitation tech...

6.5CVSS6.1AI score0.00757EPSS
CVE
CVE
added 2023/12/21 9:30 a.m.76 views

CVE-2023-48291

Apache Airflow prior to 2.8.0 is affected by an access-control vulnerability where an authenticated user with limited DAG access can craft a request to obtain write access to DAG resources for other DAGs, enabling them to clear DAGs they shouldn’t. This CVE (CVE-2023-48291) is described as a miss...

4.3CVSS5.2AI score0.018EPSS
CVE
CVE
added 2024/11/15 8:20 a.m.71 views

CVE-2024-45784

Summary (CVE-2024-45784): Apache Airflow versions before 2.10.3 may log sensitive configuration variables in task logs, risking exposure to unauthorized users. The underlying issue is that secrets were not masked in logging output. Version 2.10.3 and later mask secrets in task logs, mitigating th...

7.5CVSS7.5AI score0.01295EPSS
CVE
CVE
added 2023/07/12 9:17 a.m.69 views

CVE-2023-22888

Apache Airflow is affected in versions before 2.6.3 by a vulnerability that allows service disruption via manipulation of the run_id parameter. Exploitation requires an authenticated user, and the impact is described as a high availability disruption with no confidentiality/integrity impact repor...

6.5CVSS6.2AI score0.01044EPSS
CVE
CVE
added 2023/12/21 9:27 a.m.69 views

CVE-2023-49920

Apache Airflow (versions 2.7.0–2.7.3) contains a vulnerability where a GET request can trigger DAG executions without CSRF validation due to missing CSRF protection. This allows a malicious site loaded in the same browser as an Airflow UI session to trigger DAGs without user consent. The issue is...

6.5CVSS6.4AI score0.01032EPSS
CVE
CVE
added 2019/02/27 6:0 p.m.68 views

CVE-2018-20244

CVE-2018-20244 affects Apache Airflow before 1.10.2. A malicious admin can edit the state of objects in the Airflow metadata database to inject arbitrary JavaScript on certain page views, causing a Stored XSS vulnerability. The impact is that a victim’s browser could execute injected scripts when...

5.5CVSS5.8AI score0.01956EPSS
CVE
CVE
added 2023/07/12 9:17 a.m.67 views

CVE-2022-46651

Apache Airflow (versions before 2.6.3) is affected by an information-disclosure vulnerability in the Connection edit view. An unauthorized actor with access to Connection resources could potentially view sensitive data when updating a connection. Remediation: upgrade to Airflow 2.6.3 or later, wh...

6.5CVSS6.3AI score0.00886EPSS
CVE
CVE
added 2018/08/06 1:0 p.m.64 views

CVE-2017-12614

CVE-2017-12614 describes a reflected cross-site scripting vulnerability on Apache Airflow 404 pages. The root cause is an XSS in certain 404 endpoints, with Chrome detecting it as reflected but other browsers remaining vulnerable. Affected product: Apache Airflow (version unspecified in the initi...

6.1CVSS5.8AI score0.02003EPSS
CVE
CVE
added 2023/12/21 9:28 a.m.63 views

CVE-2023-47265

CVE-2023-47265 involves Apache Airflow, affecting versions 2.6.0 through 2.7.3. The issue is a stored XSS vulnerability in the parameter description field of a DAG, allowing a DAG author to inject unbounded, unsanitized JavaScript. This code executes in the browser sandbox of users viewing the DA...

5.4CVSS5.3AI score0.01344EPSS
CVE
CVE
added 2023/12/21 9:28 a.m.63 views

CVE-2023-50783

Apache Airflow prior to 2.8.0 is affected by an improper access control vulnerability that allows an authenticated user without the variable edit permission to update a variable, compromising variable management integrity and potentially enabling unauthorized data modifications. The issue is docu...

6.5CVSS6.2AI score0.0139EPSS
CVE
CVE
added 2026/04/13 2:36 p.m.63 views

CVE-2026-33858

CVE-2026-33858 concerns Apache Airflow where Dag Authors could craft an XCom payload that enables the webserver to execute arbitrary code due to unsafe deserialization via legacy serialization keys in the XCom API. Affected component: Airflow’s XCom handling. Root cause: insecure deserialization ...

8.8CVSS6.1AI score0.00592EPSS
CVE
CVE
added 2024/01/24 12:56 p.m.62 views

CVE-2023-51702

CVE-2023-51702 describes a vulnerability in Apache Airflow’s CNCF Kubernetes provider where, since version 5.2.0, using deferrable mode with the Kubernetes config file path causes the worker to serialize the file contents into a dictionary and store it in metadata unencrypted. For Airflow version...

6.5CVSS6.2AI score0.00381EPSS
CVE
CVE
added 2026/06/01 7:48 a.m.60 views

CVE-2026-45360

Summary (CVE-2026-45360) : Apache Airflow’s scheduler-side deadline-reference deserialization in SerializedCustomReference.deserialize_reference can import arbitrary attacker-controlled module paths because there is no allowlist or plugin-registry gate. A DAG author’s code that reaches the schedu...

7.3CVSS6AI score0.00651EPSS
CVE
CVE
added 2023/06/19 8:15 a.m.58 views

CVE-2023-35005

Apache Airflow (affected versions 2.5.0 up to 2.6.1) has an information disclosure issue where potentially sensitive values could be shown to users in certain UI scenarios. The root cause relates to how configuration values may be exposed in the web UI, with mitigations noting that configuration ...

6.5CVSS6.4AI score0.01518EPSS
CVE
CVE
added 2025/10/30 9:14 a.m.54 views

CVE-2025-62402

Summary: The issue CVE-2025-62402 affects Apache Airflow’s API endpoint /api/v2/dagReports. The root cause is that API users could execute Dag Python code in the API server context when the server has access to DAG files, enabling potential arbitrary code execution on the API server. This is desc...

5.4CVSS7.2AI score0.00476EPSS
CVE
CVE
added 2026/01/16 10:23 a.m.54 views

CVE-2025-68675

CVE-2025-68675 affects Apache Airflow versions prior to 3.1.6, where proxy URLs embedded in Connection proxy fields could be logged in cleartext. The issue arises because these proxies/fields were not treated as sensitive by default, allowing credentials to leak through task/log output. Public ad...

7.5CVSS5.7AI score0.01979EPSS
CVE
CVE
added 5 days ago53 views

CVE-2026-33264

CVE-2026-33264 involves a vulnerability in Apache Airflow where a bug in BaseSerialization.deserialize() permits unrestricted import_string() of attacker-controlled class paths during loading of a serialized DAG, enabling remote code execution on the API Server/Scheduler process and potentially c...

9.8CVSS6.7AI score0.01649EPSS
CVE
CVE
added 2026/01/16 10:6 a.m.45 views

CVE-2025-68438

Apache Airflow prior to 3.1.6 is affected. When rendering template fields in a Dag that exceed max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI because the secrets masker did not include user-registered mask_secret() patterns, leading to inco...

7.5CVSS6.3AI score0.00586EPSS
CVE
CVE
added 2025/10/30 9:45 a.m.44 views

CVE-2025-54941

The CVE-2025-54941 issue affects Apache Airflow, specifically the example_dag_decorator parameter handling. A non-validated parameter in the example DAG allowed a UI user to redirect to a malicious server and execute code on a worker, but exploitation requires that example DAGs are enabled in pro...

4.6CVSS6.9AI score0.00448EPSS
CVE
CVE
added 2026/04/13 2:20 p.m.44 views

CVE-2025-66236

CVE-2025-66236 concerns Apache Airflow prior to 3.2.0. The OSV/SNYK entries describe that secrets from the Airflow config file could be logged in plain text in the DAG run logs UI, exposing confidential data to users with access to logs (Deployment Manager or privileged readers). Root cause: impr...

7.5CVSS5.8AI score0.00439EPSS
Total number of security vulnerabilities143