79 matches found
CVE-2024-45784
Summary (CVE-2024-45784): Apache Airflow versions before 2.10.3 may log sensitive configuration variables in task logs, risking exposure to unauthorized users. The underlying issue is that secrets were not masked in logging output. Version 2.10.3 and later mask secrets in task logs, mitigating th...
CVE-2023-22888
Apache Airflow is affected in versions before 2.6.3 by a vulnerability that allows service disruption via manipulation of the run_id parameter. Exploitation requires an authenticated user, and the impact is described as a high availability disruption with no confidentiality/integrity impact repor...
CVE-2018-20244
CVE-2018-20244 affects Apache Airflow before 1.10.2. A malicious admin can edit the state of objects in the Airflow metadata database to inject arbitrary JavaScript on certain page views, causing a Stored XSS vulnerability. The impact is that a victim’s browser could execute injected scripts when...
CVE-2022-46651
Apache Airflow (versions before 2.6.3) is affected by an information-disclosure vulnerability in the Connection edit view. An unauthorized actor with access to Connection resources could potentially view sensitive data when updating a connection. Remediation: upgrade to Airflow 2.6.3 or later, wh...
CVE-2017-12614
CVE-2017-12614 describes a reflected cross-site scripting vulnerability on Apache Airflow 404 pages. The root cause is an XSS in certain 404 endpoints, with Chrome detecting it as reflected but other browsers remaining vulnerable. Affected product: Apache Airflow (version unspecified in the initi...
CVE-2023-50783
Apache Airflow prior to 2.8.0 is affected by an improper access control vulnerability that allows an authenticated user without the variable edit permission to update a variable, compromising variable management integrity and potentially enabling unauthorized data modifications. The issue is docu...
CVE-2026-45360
Summary (CVE-2026-45360) : Apache Airflow’s scheduler-side deadline-reference deserialization in SerializedCustomReference.deserialize_reference can import arbitrary attacker-controlled module paths because there is no allowlist or plugin-registry gate. A DAG author’s code that reaches the schedu...
CVE-2025-68675
CVE-2025-68675 affects Apache Airflow versions prior to 3.1.6, where proxy URLs embedded in Connection proxy fields could be logged in cleartext. The issue arises because these proxies/fields were not treated as sensitive by default, allowing credentials to leak through task/log output. Public ad...
CVE-2026-33264
CVE-2026-33264 involves a vulnerability in Apache Airflow where a bug in BaseSerialization.deserialize() permits unrestricted import_string() of attacker-controlled class paths during loading of a serialized DAG, enabling remote code execution on the API Server/Scheduler process and potentially c...
CVE-2024-56373
Summary of CVE-2024-56373 : Apache Airflow 2.x contains a vulnerability in the log template history mechanism that can allow a user (DAG Author) with existing permissions to manipulate the Airflow database and execute arbitrary code in the web-server context, leading to potential remote code exec...
CVE-2025-65995
Airflow CVE-2025-65995 affects the UI error-reporting path: if a DAG fails during parsing, full operator kwargs (potentially containing secrets) could be exposed in tracebacks to users with DAG viewing permissions. Affected products are Apache Airflow; root cause is leakage of sensitive values vi...
CVE-2026-45192
CVE-2026-45192 concerns Apache Airflow where a bug in GET /api/v2/connections/{connection_id} allowed an authenticated UI/API user with Connection-read permission to access secrets stored in a Connection's extra JSON blob that are not included in the redaction allowlist (DEFAULT_SENSITIVE_FIELDS)...
CVE-2026-49298
Summary: CVE-2026-49298 affects Apache Airflow when using the KubernetesExecutor. JWT tokens used by worker pods to authenticate to the Execution API are exposed as command-line arguments in the pod spec, enabling a user with Kubernetes read-only access (pods/get) to harvest a token and perform s...
CVE-2026-25219
CVE-2026-25219 affects Apache Airflow. The vulnerability arises because the access_key and connection_string fields were not marked as sensitive in secrets masker, enabling users with read access to view these values in the UI and potentially in logs. The documented remediation is to upgrade Airf...
CVE-2026-46764
The CVE-2026-46764 affects Apache Airflow’s Event Log APIs: the detail endpoint GET /api/v2/eventLogs/{event_log_id} returns audit-log rows by numeric ID after only a generic Audit Log permission check, while GET /api/v2/eventLogs applies per-Dag scoping. An authenticated user with audit-log read...
CVE-2026-48726
CVE-2026-48726 describes a bug in Apache Airflow where the logout flow for FabAuthManager and KeycloakAuthManager does not reach revoke_token(), leaving previously issued JWTs valid until expiry. This creates a residual gap after CVE-2025-57735 where cookie-side invalidation was addressed but pro...
CVE-2026-42360
Apache Airflow CVE-2026-42360 describes a vulnerability in the rendered-template field handling where nested sensitive-keys (password/token/secret/api_key) could be exposed if the rendered field exceeded max_templated_field_length. The bug occurs because the structure is stringified before redact...
CVE-2026-38743
The CVE-2026-38743 issue affects Apache Airflow’s authenticated /ui/dags endpoint, where per-DAG access control was not enforced for embedded HITL prompts and TaskInstance records. A user with read access to any DAG could access HITL prompts (including request parameters) and full TaskInstance de...
CVE-2026-40861
CVE-2026-40861 affects Apache Airflow, specifically the FileTaskHandler used for task logs. A Dag author can cause log path resolution to escape the configured base_log_folder via two patterns: (a) creating a symlink in the task log directory to an arbitrary file readable by the API server (read-...
CVE-2026-30912
CVE-2026-30912 concerns Apache Airflow where SQL errors expose exception and stack trace information in the API despite the setting api/expose_stack_traces being disabled. This behavior can leak sensitive information to an attacker. The connected sources consistently indicate the issue affects Ai...
CVE-2025-54550
Summary (CVE-2025-54550) : The issue concerns the example_xcom in Airflow documentation that reads from XComs using an unsafe pattern. The root cause is a vulnerable read pattern that could allow a UI user with XCom modification access to cause arbitrary code execution on the worker. The document...
CVE-2026-42358
Summary (CVE-2026-42358): In Apache Airflow, the Variable response masker can bypass nested-key redaction when JSON values are deeply nested. Keys ending with secret-like suffixes (password, token, secret, api_key) could have their plaintext values exposed if nesting depth exceeds the masker's re...
CVE-2026-40690
CVE-2026-40690 affects the asset dependency graph in Apache Airflow. The issue: the graph view did not enforce DAG read permissions , allowing a user with access to at least one DAG to discover the existence and names of other DAGs and assets across the deployment. Root cause per sources: lack of...
CVE-2025-27555
CVE-2025-27555 concerns Apache Airflow prior to 2.11.1 where authenticated users with audit log access can see sensitive connection parameters logged by the system when set via the airflow CLI. The underlying issue is that these sensitive values were stored unencrypted in the Airflow database and...
CVE-2026-48828
The CVE-2026-48828 issue affects Apache Airflow’s Bulk Variables API: the redactor was invoked without passing the variable key, so the key-based should_hide_value_for_key check (triggered by secret-suffixed keys like *_password, *_token, *_secret) could not redact JSON-typed variable values. An ...
CVE-2026-49296
CVE-2026-49296 (Apache Airflow) : Affected versions before 3.3.0 expose the full source of co-located DAGs when reading a single DAG via GET /api/v2/dagSources/{dag_id} or the UI view, bypassing per-DAG read controls. This can disclose multiple DAG sources from the same file to authorized readers...
CVE-2026-48891
A vulnerability in Apache Airflow affects the UI at /ui/dependencies where the scheduling graph endpoint applies the caller’s readable-Dag filter to the top-level Dag key but still exposes Dag IDs in dep.source and dep.target for trigger/sensor entries. An authenticated UI user with read access t...
CVE-2026-48892
CVE-2026-48892 : Apache Airflow's Config API leaks per-key secrets-backend overrides via environment variables (e.g., AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID, AIRFLOW__WORKERS__SECRETS_BACKEND_KWARG__SECRET_ID) that are not in sensitive_config_values, allowing an authenticated UI/API user with...
CVE-2026-49487
Apache Airflow prior to 3.3.0 exposes secrets in clear text via the REST API. Specifically, the task-instance detail and list endpoints leak a deferred task’s trigger kwargs, so if a deferred operator passes a secret (e.g., a provider API key) into its trigger, any authenticated user with DAG-sco...