CVE-2024-27906

CVE-2024-27906 affects Apache Airflow versions before 2.8.2. The published docs describe a vulnerability where authenticated users can view DAG code and import errors for DAGs they should not be allowed to view via the API and the UI. The primary impact is information disclosure of DAG contents a...

CVE-2020-13927

Apache Airflow CVE-2020-13927: An authentication bypass existed in the Experimental API where unauthenticated requests could be processed by default in older Airflow versions. The issue was mitigated by changing the default from allowing all API requests to denying them by default starting with A...

CVE-2020-11978

Apache Airflow CVE-2020-11978 affects Airflow 1.10.10 and earlier in one of the shipped example DAGs, enabling remote command execution. The root cause is a command-injection vulnerability in the example DAGs, which could allow an authenticated user to run arbitrary commands as the user running t...

CVE-2024-41937

The CVE concerns Apache Airflow versions before 2.10.0, where a stored XSS vulnerability exists in the provider link workflow. If a malicious provider is installed on the web server, a user who clicks a provider documentation link can trigger script execution, enabling an attacker to perform a cr...

CVE-2024-45034

CVE-2024-45034 affects Apache Airflow versions before 2.10.1. The vulnerability lets DAG authors put local settings in the DAG folder that get executed by the scheduler, which should not run code submitted by DAG authors. Red Hat and OSV entries confirm the issue and point to a fix in 2.10.1 or l...

CVE-2024-25142

CVE-2024-25142 : The issue is in Apache Airflow where dynamic content did not return the Cache-Control header, potentially allowing browsers to store sensitive data in local cache. Affected version: Airflow prior to 2.9.2. The available connected documents confirm the root cause (missing Cache-Co...

CVE-2024-50378

This CVE (CVE-2024-50378) affects Apache Airflow versions before 2.10.3. The root cause is that when sensitive variables are set via the Airflow CLI, their values were written to audit logs and stored unencrypted in the Airflow database, making them accessible to authenticated users with audit lo...

CVE-2024-39863

CVE-2024-39863 affects Apache Airflow up to version 2.9.3 prior to the fix. An authenticated attacker can inject a malicious link during provider installation. Users should upgrade to Airflow 2.9.3 to remediate. Other connected sources corroborate the vulnerability in the same version range and d...

CVE-2022-24288

CVE-2022-24288 affects Apache Airflow prior to 2.2.4, where some example DAGs did not properly sanitize user-provided parameters in the web UI, enabling OS command injection. Connected documents confirm an OS command injection vulnerability in affected DAGs (e.g., example_passing_params_via_test_...

CVE-2023-40611

Apache Airflow vulnerable before 2.7.1: authenticated DAG-view users can modify DAG run detail values when submitting notes (e.g., configuration, start date). Root cause relates to broken access control around DAG runs. A fix exists in 2.7.1 and later; upgrade to 2.7.1+ to remove the vulnerabilit...

CVE-2023-36543

CVE-2023-36543 affects Apache Airflow prior to 2.6.3. An authenticated user can submit crafted input that causes the current request to hang, effectively a DoS condition. The public records consistently state the impact as a hang of the current request with no other confidentiality/integrity impa...

CVE-2023-42792

CVE-2023-42792 (Apache Airflow) affects Airflow versions prior to 2.7.2. An authenticated user with limited access to some DAGs can craft a request to gain write access to DAG resources for DAGs they should not access, enabling them to clear those DAGs. Root cause described as improper access con...

CVE-2020-17526

Apache Airflow Webserver prior to version 1.10.14 with the default [webserver] secret_key allows an authenticated user on one site to access an unauthorized Webserver session on another site via session validation bypass. Affected component is the Webserver authentication mechanism; root cause is...

CVE-2022-40127

Apache Airflow before 2.4.0 is vulnerable to remote code execution via the run_id parameter on UI-triggered DAGs. The issue affects the Example Dags component and is triggered by manipulating run_id to execute arbitrary commands. Public references describe RCE on Airflow

CVE-2023-40712

CVE-2023-40712 affects Apache Airflow prior to 2.7.1. Authenticated users with UI access can craft a URL to view task/dag details, potentially unmasking secret task configuration that is normally masked in the UI. Impact is information exposure with high confidentiality impact as per the CVE; no ...

CVE-2023-42663

CVE-2023-42663 concerns Apache Airflow before 2.7.2, where an authorized user with access to some DAGs can read information about task instances in other DAGs, causing information disclosure across DAG boundaries. This is described across multiple sources as a permission-verification bypass expos...

CVE-2023-22884

CVE-2023-22884 affects Apache Airflow (core) and the Apache Airflow MySQL Provider, with the vulnerability stemming from improper neutralization of input in the LOAD DATA LOCAL INFILE flow, enabling Command Injection. Reported affected versions: Airflow before 2.5.1 and MySQL Provider before 4.0....

CVE-2020-13944

The vulnerability described as CVE-2020-13944 affects Apache Airflow via a Cross‑Site Scripting (XSS) flaw in the origin parameter for some endpoints (notably /trigger) in older Airflow releases. Connected advisories reiter that the issue occurs in <1.10.12 (and related

CVE-2022-38170

CVE-2022-38170 affects Apache Airflow prior to 2.3.4. The issue is an insecure daemon umask applied to numerous Airflow components, causing a race condition that can create world-writable files in the Airflow home directory. This allows local users to expose arbitrary file contents via the webser...

CVE-2024-26280

Apache Airflow prior to 2.8.2 has an information-disclosure issue where authenticated Ops and Viewers can see audit-log contents (e.g., dag names, usernames not visible to them). Version 2.8.2+ fixes default audit-log permissions (Ops/Viewers no longer have access by default; admins retain access...

CVE-2022-27949

CVE-2022-27949 affects Apache Airflow (UI) prior to 2.3.1. The issue allows viewing unmasked secrets in rendered template values for tasks that were not executed (e.g., tasks dependent on past/failed instances). Root cause details are not elaborated beyond the vulnerability description in the con...

CVE-2022-38649

CVE-2022-38649 describes an OS command injection vulnerability in the Apache Airflow Pinot Provider. The issue arises from improper neutralization of special elements when constructing OS commands, enabling an attacker to control commands executed in the task execution context without requiring D...

CVE-2023-39441

Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by a certificate validation weakness in the OpenSSL-based SSL context. The default SSL context did not verify server X.509 certificates, allowing an attacker in a MIT...

CVE-2022-45402

CVE-2022-45402 affects Apache Airflow versions prior to 2.4.3, which have an open redirect in the webserver’s /login endpoint. The root cause is an open redirect via the login parameter (e.g., next), enabling unvalidated redirects that could be used for phishing. The vulnerability is documented w...

CVE-2022-40189

CVE-2022-40189 describes an OS command injection in the Apache Airflow Pig Provider. The root cause is improper neutralization of special elements used in OS commands, allowing an attacker to control commands executed in the task execution context. Affected are Pig Provider versions prior to 4.0....

CVE-2020-17515

The CVE-2020-17515 issue is an XSS vulnerability in the Apache Airflow “origin” parameter (e.g., in /trigger). The root cause is an unpatched origin parameter allowing reflected/scriptable input. Public details indicate affected versions include Airflow releases prior to the patched point (initia...

CVE-2022-41131

The CVE-2022-41131 issue is an OS command injection in the Apache Airflow Hive Provider. Vulnerable components: Hive Provider versions prior to 4.1.0, and Airflow versions prior to 2.3.0 if the Hive Provider is installed. Root cause is improper neutralization of special elements in OS commands, a...

CVE-2023-39508

The CVE-2023-39508 issue affects Apache Airflow prior to 2.6.0, where the Run Task feature could be exploited by an authenticated user to execute code in the webserver context and bypass DAG access restrictions, exposing sensitive information and potentially impacting confidentiality, integrity, ...

CVE-2023-47037

Apache Airflow (versions before 2.7.3) is affected by a Broken Access Control vulnerability tracked as CVE-2023-47037. The issue allows authenticated DAG-view authorized users to modify DAG run detail values (e.g., configuration parameters, start date) when submitting notes. The underlying proble...

CVE-2022-40954

The CVE-2022-40954 issue is an OS Command Injection in the Apache Airflow Spark Provider that lets an attacker read arbitrary files in the task execution context without file write access to DAGs. Affected products: Spark Provider versions prior to 4.0.0 and Airflow versions prior to 2.3.0 when t...

CVE-2023-22887

CVE-2023-22887 affects Apache Airflow versions before 2.6.3. The issue enables an authenticated attacker to perform unauthorized file access outside the intended directory by manipulating the run_id parameter (path traversal). The vulnerability is described as low impact since exploitation requir...

CVE-2026-30898

CVE-2026-30898 concerns Apache Airflow where BashOperator usage documented in DAGs could pass dag_run.conf unsafely, enabling UI user privileges to execute code on workers. The issue arises from an example that could escalate privileges via shell injection-like behavior. The connected OSV entry c...

CVE-2020-17513

Apache Airflow versions prior to 1.10.13 expose a Server-Side Request Forgery (SSRF) vulnerability in the old Flask-admin UI, specifically the Charts and Query View. The issue is described as SSRF in the Chart/Query View of the legacy UI, without details on exploit vectors, affected subcomponents...

CVE-2023-42780

Apache Airflow vulnerability CVE-2023-42780 affects versions prior to 2.7.2. Authenticated users can list warnings for all DAGs, even if they lack permission to view those DAGs, exposing dag_ids and import-error stack traces. Impact is information disclosure of non-authorized DAG metadata; no exp...

CVE-2023-50943

Apache Airflow before 2.8.1 is affected by a pickle-deserialization issue in XComs. By bypassing the enable_xcom_pickling=False protection, an attacker could poison XCom data during deserialization, with impact described as data integrity risk. The vulnerability affects Airflow versions prior to ...

CVE-2022-43985

In Apache Airflow, versions prior to 2.4.2 contain an open redirect in the webserver’s /confirm endpoint. Affected component is the Airflow webserver; root cause is an open redirect path in /confirm. The practical impact is an open redirect vulnerability (no exploitation details provided in the s...

CVE-2023-25754

Apache Airflow prior to 2.6.0 is affected by a Privilege Context Switching Error that can allow a local Linux user to read sensitive files (e.g., SSH keys) by abusing insecure log file permissions. The issue is described as a privilege escalation via log handling. A fix is available in Airflow 2....

CVE-2023-37379

CVE-2023-37379 affects Apache Airflow versions prior to 2.7.0. An authenticated user with Connection edit privileges can access connection information and abuse the test connection feature by sending many requests, causing a DoS condition on the server and enabling potentially harmful connections...

CVE-2023-29247

CVE-2023-29247 corresponds to a stored XSS in Apache Airflow’s Task instance details page, affecting versions prior to 2.6.0. Several connected sources (NVD, OSV entries, CNVD, GHSA, CNVD) converge on: vulnerable component is the UI rendering of task instance details; root cause is improper handl...

CVE-2021-35936

Apache Airflow CVE-2021-35936 affects versions older than 2.1.2. When remote logging is not used, the worker (CeleryExecutor) or the scheduler (LocalExecutor) spins up a Flask logging server that binds to 0.0.0.0 on a specific port and lacks authentication, allowing reads of DAG job log files. Th...

CVE-2023-25695

CVE-2023-25695 affects Apache Airflow prior to 2.5.2 and is an information-disclosure vulnerability caused by error messages that can contain sensitive data. The related advisories note that tracebacks may reveal details (e.g., Python/Airflow version, node name) to users, potentially aiding targe...

CVE-2022-43982

CVE-2022-43982 (Apache Airflow) refers to a cross-site scripting vulnerability in versions prior to 2.4.2, where the Trigger DAG with config screen is vulnerable to XSS via the origin query parameter. The issue arises in the web UI when user-supplied data in origin is reflected back, potentially ...

CVE-2023-42781

CVE-2023-42781 affects Apache Airflow up to versions before 2.7.3 . The issue allows an authorized user (with access to read specific DAGs) to view information about task instances in other DAGs . This is a cross-DAG information disclosure vulnerability rather than a code execution flaw. Mitigati...

CVE-2023-50944

CVE-2023-50944 affects Apache Airflow prior to 2.8.1. An authenticated user can access the source code of a DAG to which they do not have access, resulting in information disclosure. The vulnerability is described as low severity (CVSS 3.1 base score 6.5) due to the need for authentication. No ex...

CVE-2020-17511

CVE-2020-17511 affects Apache Airflow versions prior to 1.10.13. The vulnerability arises when creating a user (via airflow CLI) or a connection with a password field, causing the password to be logged in plaintext in the Log table in the Airflow metadata database. This issue is consistently desc...

CVE-2018-20245

CVE-2018-20245 affects Apache Airflow versions prior to 1.10.1, where the LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) had improper exception handling that disabled server certificate checking. This misconfiguration enables potential Man‑in‑the‑Middle risks against LDAP connections...

CVE-2023-35908

CVE-2023-35908 affects Apache Airflow, versions before 2.6.3. The vulnerability allows unauthorized read access to a DAG through the URL (i.e., an access control issue). The documented remediation is to upgrade to a version that is not affected (2.6.3 or later). Other details on exploitation tech...

CVE-2019-12398

Apache Airflow prior to 1.10.5 with the classic UI is affected. A malicious admin can modify object state in the Airflow metadata database to execute arbitrary JavaScript on certain page views (XSS). The RBAC UI is unaffected. Exploitation details and concrete fixes are not provided in the suppli...

CVE-2023-48291

Apache Airflow prior to 2.8.0 is affected by an access-control vulnerability where an authenticated user with limited DAG access can craft a request to obtain write access to DAG resources for other DAGs, enabling them to clear DAGs they shouldn’t. This CVE (CVE-2023-48291) is described as a miss...

CVE-2026-25917

Apache Airflow CVE-2026-25917 involves API extra-links enabling crafted XCom payloads that can lead to webserver code execution via XCom deserialization/class instantiation. Affected component is the Airflow webserver’s handling of XCom; root cause described as deserialization/instantiation of pa...