143 matches found
CVE-2023-22887
CVE-2023-22887 affects Apache Airflow versions before 2.6.3. The issue enables an authenticated attacker to perform unauthorized file access outside the intended directory by manipulating the run_id parameter (path traversal). The vulnerability is described as low impact since exploitation requir...
CVE-2020-17513
Apache Airflow versions prior to 1.10.13 expose a Server-Side Request Forgery (SSRF) vulnerability in the old Flask-admin UI, specifically the Charts and Query View. The issue is described as SSRF in the Chart/Query View of the legacy UI, without details on exploit vectors, affected subcomponents...
CVE-2023-42780
Apache Airflow vulnerability CVE-2023-42780 affects versions prior to 2.7.2. Authenticated users can list warnings for all DAGs, even if they lack permission to view those DAGs, exposing dag_ids and import-error stack traces. Impact is information disclosure of non-authorized DAG metadata; no exp...
CVE-2019-0229
The CVE-2019-0229 entry concerns cross-site request forgery (CSRF) in the Airflow webserver. The affected surface is multiple HTTP endpoints in both the RBAC and classic Airflow webservers, where protections against CSRF are insufficient. Root cause cited across connected sources is lack of adequ...
CVE-2026-25917
Apache Airflow CVE-2026-25917 involves API extra-links enabling crafted XCom payloads that can lead to webserver code execution via XCom deserialization/class instantiation. Affected component is the Airflow webserver’s handling of XCom; root cause described as deserialization/instantiation of pa...
CVE-2020-9485
CVE-2020-9485 is a stored XSS issue affecting Apache Airflow 1.10.10 and earlier, specifically in the Chart pages of the classic UI. The vulnerability is the result of unvalidated input being reflected in the UI, enabling an attacker to inject script via the affected chart rendering. The provided...
CVE-2021-26697
CVE-2021-26697 affects Apache Airflow 2.0.0: the lineage endpoint of the deprecated Experimental API is not protected by authentication, allowing unauthenticated access to metadata about a DAG and its tasks. This is described as a low-severity issue with a low attack surface, requiring the attack...
CVE-2022-43985
In Apache Airflow, versions prior to 2.4.2 contain an open redirect in the webserver’s /confirm endpoint. Affected component is the Airflow webserver; root cause is an open redirect path in /confirm. The practical impact is an open redirect vulnerability (no exploitation details provided in the s...
CVE-2023-50943
Apache Airflow before 2.8.1 is affected by a pickle-deserialization issue in XComs. By bypassing the enable_xcom_pickling=False protection, an attacker could poison XCom data during deserialization, with impact described as data integrity risk. The vulnerability affects Airflow versions prior to ...
CVE-2023-25754
Apache Airflow prior to 2.6.0 is affected by a Privilege Context Switching Error that can allow a local Linux user to read sensitive files (e.g., SSH keys) by abusing insecure log file permissions. The issue is described as a privilege escalation via log handling. A fix is available in Airflow 2....
CVE-2023-29247
CVE-2023-29247 corresponds to a stored XSS in Apache Airflow’s Task instance details page, affecting versions prior to 2.6.0. Several connected sources (NVD, OSV entries, CNVD, GHSA, CNVD) converge on: vulnerable component is the UI rendering of task instance details; root cause is improper handl...
CVE-2023-40273
CVE-2023-40273 : A session fixation vulnerability in Apache Airflow allowed authenticated users to continue accessing the web UI after a password reset. In the database session backend, existing sessions are invalidated when a user’s password is reset; in the securecookie backend, sessions are no...
CVE-2024-28746
CVE-2024-28746 affects Apache Airflow versions 2.8.0–2.8.2. The issue allows an authenticated user with limited permissions to access resources (e.g., variables, connections) from the UI that they should not access, constituting an information disclosure vulnerability. The cited connected documen...
CVE-2019-0216
CVE-2019-0216 affects Apache Airflow where a malicious admin user could edit the state of objects in the Airflow metadata database, causing stored cross-site scripting by injecting arbitrary JavaScript on certain web views. The vulnerability arises from how the web interface renders or handles da...
CVE-2023-25695
CVE-2023-25695 affects Apache Airflow prior to 2.5.2 and is an information-disclosure vulnerability caused by error messages that can contain sensitive data. The related advisories note that tracebacks may reveal details (e.g., Python/Airflow version, node name) to users, potentially aiding targe...
CVE-2023-37379
CVE-2023-37379 affects Apache Airflow versions prior to 2.7.0. An authenticated user with Connection edit privileges can access connection information and abuse the test connection feature by sending many requests, causing a DoS condition on the server and enabling potentially harmful connections...
CVE-2021-35936
Apache Airflow CVE-2021-35936 affects versions older than 2.1.2. When remote logging is not used, the worker (CeleryExecutor) or the scheduler (LocalExecutor) spins up a Flask logging server that binds to 0.0.0.0 on a specific port and lacks authentication, allowing reads of DAG job log files. Th...
CVE-2024-29735
CVE-2024-29735 affects Apache Airflow (versions 2.8.2–2.8.3) due to the local file task handler incorrectly setting permissions on parent folders of the log directory, potentially granting group write access. The issue can impact log storage paths, and, if the home directory becomes group-writabl...
CVE-2022-43982
CVE-2022-43982 (Apache Airflow) refers to a cross-site scripting vulnerability in versions prior to 2.4.2, where the Trigger DAG with config screen is vulnerable to XSS via the origin query parameter. The issue arises in the web UI when user-supplied data in origin is reflected back, potentially ...
CVE-2017-15720
CVE-2017-15720 affects Apache Airflow 1.8.2 and earlier. An authenticated user can trigger remote code execution on the Airflow webserver by creating a specially crafted object. Reported in multiple feeds (NVD, GHSA, OSV, CNVD/CVE records), the exposure is described as remote code execution with ...
CVE-2020-17511
CVE-2020-17511 affects Apache Airflow versions prior to 1.10.13. The vulnerability arises when creating a user (via airflow CLI) or a connection with a password field, causing the password to be logged in plaintext in the Log table in the Airflow metadata database. This issue is consistently desc...
CVE-2023-42781
CVE-2023-42781 affects Apache Airflow up to versions before 2.7.3 . The issue allows an authorized user (with access to read specific DAGs) to view information about task instances in other DAGs . This is a cross-DAG information disclosure vulnerability rather than a code execution flaw. Mitigati...
CVE-2023-50944
CVE-2023-50944 affects Apache Airflow prior to 2.8.1. An authenticated user can access the source code of a DAG to which they do not have access, resulting in information disclosure. The vulnerability is described as low severity (CVSS 3.1 base score 6.5) due to the need for authentication. No ex...
CVE-2017-17835
CVE-2017-17835 affects Apache Airflow 1.8.2 and earlier. The vulnerability is described as a CSRF flaw that allowed remote command injection on a default Airflow install. The connected documents corroborate the CSRF/vector and the potential for command execution, but do not provide exploitation d...
CVE-2017-17836
In Apache Airflow 1.8.2 and earlier, an experimental feature exposed authenticated cookies and passwords to databases used by Airflow. The vulnerability allows an attacker with limited access to Airflow—e.g., via XSS or an unlocked machine—to exfiltrate credentials from the system. Documented ref...
CVE-2021-45230
CVE-2021-45230 affects Apache Airflow prior to 2.2.0. The issue arises when a user with can_create on DAG Runs can create Dag Runs for DAGs where they do not have edit permissions, implying insufficient DAG-level permission checks in the web interface. The connected OSV and CVE references corrobo...
CVE-2022-40754
Summary: CVE-2022-40754 affects Apache Airflow 2.3.0–2.3.4, describing an open redirect in the webserver’s /confirm endpoint. The root cause is an open redirect vulnerability that could enable attackers to lead users to a malicious site via an apparently legitimate URL. No exploitation details or...
CVE-2024-32077
CVE-2024-32077 concerns Apache Airflow 2.9.0 with a cross-site scripting (XSS) vulnerability in Task Instance Log/Log Details. An authenticated attacker can inject malicious data into task instance logs due to insufficient input handling, leading to XSS when logs are viewed. The affected product ...
CVE-2018-20245
CVE-2018-20245 affects Apache Airflow versions prior to 1.10.1, where the LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) had improper exception handling that disabled server certificate checking. This misconfiguration enables potential Man‑in‑the‑Middle risks against LDAP connections...
CVE-2019-12398
Apache Airflow prior to 1.10.5 with the classic UI is affected. A malicious admin can modify object state in the Airflow metadata database to execute arbitrary JavaScript on certain page views (XSS). The RBAC UI is unaffected. Exploitation details and concrete fixes are not provided in the suppli...
CVE-2023-35908
CVE-2023-35908 affects Apache Airflow, versions before 2.6.3. The vulnerability allows unauthorized read access to a DAG through the URL (i.e., an access control issue). The documented remediation is to upgrade to a version that is not affected (2.6.3 or later). Other details on exploitation tech...
CVE-2023-48291
Apache Airflow prior to 2.8.0 is affected by an access-control vulnerability where an authenticated user with limited DAG access can craft a request to obtain write access to DAG resources for other DAGs, enabling them to clear DAGs they shouldn’t. This CVE (CVE-2023-48291) is described as a miss...
CVE-2024-45784
Summary (CVE-2024-45784): Apache Airflow versions before 2.10.3 may log sensitive configuration variables in task logs, risking exposure to unauthorized users. The underlying issue is that secrets were not masked in logging output. Version 2.10.3 and later mask secrets in task logs, mitigating th...
CVE-2023-22888
Apache Airflow is affected in versions before 2.6.3 by a vulnerability that allows service disruption via manipulation of the run_id parameter. Exploitation requires an authenticated user, and the impact is described as a high availability disruption with no confidentiality/integrity impact repor...
CVE-2023-49920
Apache Airflow (versions 2.7.0–2.7.3) contains a vulnerability where a GET request can trigger DAG executions without CSRF validation due to missing CSRF protection. This allows a malicious site loaded in the same browser as an Airflow UI session to trigger DAGs without user consent. The issue is...
CVE-2018-20244
CVE-2018-20244 affects Apache Airflow before 1.10.2. A malicious admin can edit the state of objects in the Airflow metadata database to inject arbitrary JavaScript on certain page views, causing a Stored XSS vulnerability. The impact is that a victim’s browser could execute injected scripts when...
CVE-2022-46651
Apache Airflow (versions before 2.6.3) is affected by an information-disclosure vulnerability in the Connection edit view. An unauthorized actor with access to Connection resources could potentially view sensitive data when updating a connection. Remediation: upgrade to Airflow 2.6.3 or later, wh...
CVE-2017-12614
CVE-2017-12614 describes a reflected cross-site scripting vulnerability on Apache Airflow 404 pages. The root cause is an XSS in certain 404 endpoints, with Chrome detecting it as reflected but other browsers remaining vulnerable. Affected product: Apache Airflow (version unspecified in the initi...
CVE-2023-47265
CVE-2023-47265 involves Apache Airflow, affecting versions 2.6.0 through 2.7.3. The issue is a stored XSS vulnerability in the parameter description field of a DAG, allowing a DAG author to inject unbounded, unsanitized JavaScript. This code executes in the browser sandbox of users viewing the DA...
CVE-2023-50783
Apache Airflow prior to 2.8.0 is affected by an improper access control vulnerability that allows an authenticated user without the variable edit permission to update a variable, compromising variable management integrity and potentially enabling unauthorized data modifications. The issue is docu...
CVE-2026-33858
CVE-2026-33858 concerns Apache Airflow where Dag Authors could craft an XCom payload that enables the webserver to execute arbitrary code due to unsafe deserialization via legacy serialization keys in the XCom API. Affected component: Airflow’s XCom handling. Root cause: insecure deserialization ...
CVE-2023-51702
CVE-2023-51702 describes a vulnerability in Apache Airflow’s CNCF Kubernetes provider where, since version 5.2.0, using deferrable mode with the Kubernetes config file path causes the worker to serialize the file contents into a dictionary and store it in metadata unencrypted. For Airflow version...
CVE-2026-45360
Summary (CVE-2026-45360) : Apache Airflow’s scheduler-side deadline-reference deserialization in SerializedCustomReference.deserialize_reference can import arbitrary attacker-controlled module paths because there is no allowlist or plugin-registry gate. A DAG author’s code that reaches the schedu...
CVE-2023-35005
Apache Airflow (affected versions 2.5.0 up to 2.6.1) has an information disclosure issue where potentially sensitive values could be shown to users in certain UI scenarios. The root cause relates to how configuration values may be exposed in the web UI, with mitigations noting that configuration ...
CVE-2025-62402
Summary: The issue CVE-2025-62402 affects Apache Airflow’s API endpoint /api/v2/dagReports. The root cause is that API users could execute Dag Python code in the API server context when the server has access to DAG files, enabling potential arbitrary code execution on the API server. This is desc...
CVE-2025-68675
CVE-2025-68675 affects Apache Airflow versions prior to 3.1.6, where proxy URLs embedded in Connection proxy fields could be logged in cleartext. The issue arises because these proxies/fields were not treated as sensitive by default, allowing credentials to leak through task/log output. Public ad...
CVE-2026-33264
CVE-2026-33264 involves a vulnerability in Apache Airflow where a bug in BaseSerialization.deserialize() permits unrestricted import_string() of attacker-controlled class paths during loading of a serialized DAG, enabling remote code execution on the API Server/Scheduler process and potentially c...
CVE-2025-68438
Apache Airflow prior to 3.1.6 is affected. When rendering template fields in a Dag that exceed max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI because the secrets masker did not include user-registered mask_secret() patterns, leading to inco...
CVE-2025-54941
The CVE-2025-54941 issue affects Apache Airflow, specifically the example_dag_decorator parameter handling. A non-validated parameter in the example DAG allowed a UI user to redirect to a malicious server and execute code on a worker, but exploitation requires that example DAGs are enabled in pro...
CVE-2025-66236
CVE-2025-66236 concerns Apache Airflow prior to 3.2.0. The OSV/SNYK entries describe that secrets from the Airflow config file could be logged in plain text in the DAG run logs UI, exposing confidential data to users with access to logs (Deployment Manager or privileged readers). Root cause: impr...