apache-airflow
PyPI131 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting apache-airflowpage 2 of 3
- CVE-2023-29247MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.6.02023-05-08
vulnerable: 1.10.0 ... 2.6.0rc5 (147 versions)
Task instance details page in the UI is vulnerable to a stored XSS.This issue affects Apache Airflow: before 2.6.0.
- CVE-2023-35005MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.6.22023-06-19
vulnerable: 2.5.0 ... 2.6.2rc2 (23 versions)
In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations. This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if `[webserver] expose_config` is s…
- CVE-2023-35908MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.6.32023-07-12
vulnerable: 1.10.0 ... 2.6.3rc1 (156 versions)
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected
- CVE-2023-36543MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.6.32023-07-12
vulnerable: 1.10.0 ... 2.6.3rc1 (156 versions)
Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected
- CVE-2023-37379HIGHCVSS 8.1EG 8.1✓ Fixed in 2.7.02023-08-23
vulnerable: 1.10.0 ... 2.7.0rc2 (160 versions)
Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exp…
- CVE-2023-39441MEDIUMCVSS 5.9EG 5.9✓ Fixed in 2.7.02023-08-23
vulnerable: 1.10.0 ... 2.7.0rc2 (160 versions)
Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate vulnerability. The default SSL context with SSL library did not …
- CVE-2023-39508HIGHCVSS 8.8EG 8.8✓ Fixed in 2.6.02023-08-05
vulnerable: 1.10.0 ... 2.6.0rc5 (147 versions)
Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables authenticated user to bypass some of the restrict…
- CVE-2023-39553HIGHCVSS 7.5EG 7.5✓ Fixed in 2.4.32023-08-11
vulnerable: 1.10.0 ... 2.4.3rc1 (127 versions)
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider. Apache Airflow Drill Provider is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a …
- CVE-2023-40273HIGHCVSS 8.0EG 8.0✓ Fixed in 2.7.1rc12023-08-23
vulnerable: 1.10.0 ... 2.7.0rc2 (161 versions)
The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually…
- CVE-2023-40611MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.7.12023-09-12
vulnerable: 1.10.0 ... 2.7.1rc2 (163 versions)
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configura…
- CVE-2023-40712MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.7.12023-09-12
vulnerable: 1.10.0 ... 2.7.1rc2 (163 versions)
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that o…
- CVE-2023-42663MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.7.22023-10-14
vulnerable: 1.10.0 ... 2.7.2rc1 (165 versions)
Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. Users of Apache Airflow are advised to upgrade to …
- CVE-2023-42780MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.7.22023-10-14
vulnerable: 1.10.0 ... 2.7.2rc1 (165 versions)
Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dag_ids and the …
- CVE-2023-42781MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.7.32023-11-12
vulnerable: 1.10.0 ... 2.7.3rc1 (167 versions)
Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. This is a different issue than CVE-2023-42663 bu…
- CVE-2023-42792MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.7.22023-10-14
vulnerable: 1.10.0 ... 2.7.2rc1 (165 versions)
Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs th…
- CVE-2023-45348MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.7.22023-10-14
vulnerable: 2.7.0, 2.7.1, 2.7.1rc1, 2.7.1rc2, 2.7.2rc1
Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerability that allows an authenticated user to retrieve sensitive configuration information when the "expose_config" option is set to "non-sensitive-only". The `expose_config` …
- CVE-2023-46215HIGHCVSS 7.5EG 7.5✓ Fixed in 2.7.02023-10-28
vulnerable: 1.10.0 ... 2.7.0rc2 (156 versions)
Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow. Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend Note: the vul…
- CVE-2023-46288MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.7.02023-10-23
vulnerable: 2.4.0 ... 2.7.0rc2 (39 versions)
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.4.0 to 2.7.0. Sensitive configuration information has been exposed to authenticated users with the ability…
- CVE-2023-47037MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.7.32023-11-12
vulnerable: 1.10.0 ... 2.7.3rc1 (167 versions)
We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DA…
- CVE-2023-47265MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.8.0b12023-12-21
vulnerable: 2.6.0 ... 2.7.3rc1 (21 versions)
Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author to add an unbounded and not-sanitized javascript in the parameter description field of the DAG. This Javascript can be executed on the cl…
- CVE-2023-48291MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.8.02023-12-21
vulnerable: 1.10.0 ... 2.8.0rc4 (173 versions)
Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs th…
- CVE-2023-49920MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.8.0b12023-12-21
vulnerable: 2.7.0 ... 2.7.3rc1 (8 versions)
Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the u…
- CVE-2023-50783MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.8.02023-12-21
vulnerable: 1.10.0 ... 2.8.0rc4 (173 versions)
Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable. This flaw compromises the integrity of variable management, potentially lea…
- CVE-2023-50943HIGHCVSS 7.5EG 7.5✓ Fixed in 2.8.12024-01-24
vulnerable: 1.10.0 ... 2.8.1rc1 (175 versions)
Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom de…
- CVE-2023-50944MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.8.12024-01-24
vulnerable: 1.10.0 ... 2.8.1rc1 (175 versions)
Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user…
- CVE-2023-51702MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.6.12024-01-24
vulnerable: 2.3.0 ... 2.6.1rc3 (44 versions)
Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentication, the Airflow worker serializes this configuration file as a dictionary and sends it to the triggerer by storing it in metad…
- CVE-2024-25142MEDIUMCVSS 5.5EG 5.5✓ Fixed in 2.9.22024-06-14
vulnerable: 1.10.0 ... 2.9.2rc1 (194 versions)
Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive d…
- CVE-2024-26280MEDIUMCVSS 4.7EG 4.7✓ Fixed in 2.8.22024-03-01
vulnerable: 1.10.0 ... 2.8.2rc3 (179 versions)
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops…
- CVE-2024-27906MEDIUMCVSS 5.9EG 5.9✓ Fixed in 2.8.22024-02-29
vulnerable: 1.10.0 ... 2.8.2rc3 (179 versions)
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. Users of Apache Airflow are recommended …
- CVE-2024-28746HIGHCVSS 8.1EG 8.1✓ Fixed in 2.8.3rc12024-03-14
vulnerable: 2.8.0 ... 2.8.2rc3 (7 versions)
Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access. …
- CVE-2024-29735MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.8.42024-03-26
vulnerable: 2.8.2, 2.8.3, 2.8.3rc1, 2.8.4rc1
Improper Preservation of Permissions vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.8.2 through 2.8.3. Airflow's local file task handler in Airflow incorrectly set permissions for all parent folders of log folder…
- CVE-2024-31869MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.9.02024-04-18
vulnerable: 2.7.0 ... 2.9.0rc3 (29 versions)
Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the "configuration" UI page when "non-sensitive-only" was set as "webserver.expose_config" configurati…
- CVE-2024-32077MEDIUMCVSS 5.4EG 5.42024-05-14
vulnerable: 2.9.0b1, 2.9.0b2, 2.9.0rc1, 2.9.0rc2, 2.9.0rc3
Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into the task instance logs. Users are recommended to upgrade to version 2.9.1, which fixes this issue.
- CVE-2024-39863MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.9.32024-07-17
vulnerable: 1.10.0 ... 2.9.3rc1 (196 versions)
Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.
- CVE-2024-39877HIGHCVSS 8.8EG 8.8✓ Fixed in 2.9.32024-07-17
vulnerable: 2.4.0 ... 2.9.3rc1 (75 versions)
Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according…
- CVE-2024-41937MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.10.02024-08-21
vulnerable: 1.10.0 ... 2.9.3rc1 (200 versions)
Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be i…
- CVE-2024-42447CRITICALCVSS 9.8EG 9.82024-08-05
Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache Airflow 2.9.3) and FAB 1.2.0 for all Airflow versions. The FAB provider prevented…
- CVE-2024-45034HIGHCVSS 8.8EG 8.8✓ Fixed in 2.10.12024-09-07
vulnerable: 1.10.0 ... 2.9.3rc1 (202 versions)
Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG auth…
- CVE-2024-45498HIGHCVSS 8.8EG 8.82024-09-07
Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the …
- CVE-2024-45784HIGHCVSS 7.5EG 7.5✓ Fixed in 2.10.32024-11-15
vulnerable: 1.10.0 ... 2.9.3rc1 (207 versions)
Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables…
- CVE-2024-50378MEDIUMCVSS 4.9EG 4.9✓ Fixed in 2.10.32024-11-08
vulnerable: 1.10.0 ... 2.9.3rc1 (207 versions)
Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those …
- CVE-2025-54550HIGHCVSS 8.1EG 8.1✓ Fixed in 3.2.02026-04-15
vulnerable: 1.10.0 ... 3.2.0rc2 (281 versions)
The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of…
- CVE-2025-54831MEDIUMCVSS 6.5EG 6.52025-09-26
Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a "write-only" model for sensi…
- CVE-2025-54941MEDIUMCVSS 4.6EG 4.6✓ Fixed in 3.0.52025-10-30
vulnerable: 3.0.0 ... 3.0.5rc3 (19 versions)
An example dag `example_dag_decorator` had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production (no…
- CVE-2025-57735CRITICALCVSS 9.1EG 9.1✓ Fixed in 3.2.02026-04-09
vulnerable: 3.0.0 ... 3.2.0rc2 (53 versions)
When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at…
- CVE-2025-62402MEDIUMCVSS 5.4EG 5.4✓ Fixed in 3.1.12025-10-30
vulnerable: 3.0.0 ... 3.1.1rc2 (30 versions)
API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available.
- CVE-2025-62503MEDIUMCVSS 4.6EG 4.6✓ Fixed in 3.1.12025-10-30
vulnerable: 3.0.0 ... 3.1.1rc2 (30 versions)
User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.
- CVE-2025-66236HIGHCVSS 7.5EG 7.5✓ Fixed in 3.2.02026-04-13
vulnerable: 3.0.0 ... 3.2.0rc2 (53 versions)
Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager co…
- CVE-2025-66388MEDIUMCVSS 6.5EG 6.5✓ Fixed in 3.1.42025-12-15
vulnerable: 3.1.0 ... 3.1.4rc2 (11 versions)
A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization. Users a…
- CVE-2025-67895CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.0.02025-12-17
vulnerable: 1.10.0 ... 2.0.0rc3 (67 versions)
Edge3 Worker RPC RCE on Airflow 2. This issue affects Apache Airflow Providers Edge3: before 2.0.0 - and only if you installed and configured it on Airflow 2. The Edge3 provider support in Airflow 2 has been always development-only and…
Check whether apache-airflow is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for apache-airflow CVEs against the assets you own.
Start Free Scan →