CVE-2020-13927 – CVE-2020-13927 is a critical authentication byp... (How to Fix)

Q: What is the severity of CVE-2020-13927?

CVE-2020-13927 has a CVSS score of 9.8 (CRITICAL). CVE-2020-13927 is a critical authentication bypass vulnerability in Apache Airflow's Experimental API that allows unauthenticated remote attackers to execute arbitrary code. It affects Airflow installations where the API is enabled with default settings. Users running Airflow 1.10.10 and earlier with the Experimental API accessible are vulnerable.

📋 TL;DR

CVE-2020-13927 is a critical authentication bypass vulnerability in Apache Airflow's Experimental API that allows unauthenticated remote attackers to execute arbitrary code. It affects Airflow installations where the API is enabled with default settings. Users running Airflow 1.10.10 and earlier with the Experimental API accessible are vulnerable.

💻 Affected Systems

Products:

Apache Airflow

Versions: Versions 1.10.10 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with the Experimental API enabled (default in some configurations). The vulnerability exists because the default authentication setting was 'allow all' instead of requiring authentication.

📦 What is this software?

Airflow by Apache

View all CVEs affecting Airflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attackers can achieve full system compromise, execute arbitrary commands, steal sensitive data, and pivot to other systems in the network.

🟠

Likely Case

Attackers exploit the API to execute arbitrary code, potentially gaining control of the Airflow instance and accessing sensitive workflow data.

🟢

If Mitigated

With proper authentication configured, the API requires valid credentials, limiting access to authorized users only.

🌐 Internet-Facing: HIGH - Internet-exposed Airflow instances are trivially exploitable by unauthenticated attackers.

🏢 Internal Only: HIGH - Even internally accessible instances can be exploited by any internal attacker or compromised system.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts exist that demonstrate remote code execution. The vulnerability is trivial to exploit once the API endpoint is discovered.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.10.11 and later

Vendor Advisory: https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E

Restart Required: Yes

Instructions:

1. Upgrade to Airflow 1.10.11 or later. 2. For existing installations, manually set [api]auth_backend = airflow.api.auth.backend.deny_all in airflow.cfg. 3. Restart all Airflow services.

🔧 Temporary Workarounds

Disable Experimental API

all

Completely disable the vulnerable Experimental API endpoint

Set api.auth_backend = airflow.api.auth.backend.deny_all in airflow.cfg
Restart Airflow services

Network Access Control

linux

Restrict network access to Airflow API endpoints using firewall rules

iptables -A INPUT -p tcp --dport 8080 -s trusted_ips -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

🧯 If You Can't Patch

Immediately disable the Experimental API by setting auth_backend to deny_all
Implement strict network segmentation and firewall rules to block all external access to Airflow

🔍 How to Verify

Check if Vulnerable:

Check if Airflow version is 1.10.10 or earlier AND the Experimental API is accessible without authentication. Test by attempting to access API endpoints without credentials.

Check Version:

airflow version

Verify Fix Applied:

Verify Airflow version is 1.10.11+ OR confirm api.auth_backend is set to deny_all in airflow.cfg. Test that API endpoints now require authentication.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated API requests to /api/experimental endpoints
Unusual process execution from Airflow services
Failed authentication attempts if logging enabled

Network Indicators:

Unusual traffic to Airflow API ports (default 8080)
POST requests to /api/experimental endpoints without authentication headers

SIEM Query:

source="airflow.logs" AND (uri_path="/api/experimental/*" AND NOT auth_success="true")

📊 Metadata

CVE ID: CVE-2020-13927

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: November 10, 2020

Last Updated: October 23, 2025

🔗 References

http://packetstormsecurity.com/files/162908/Apache-Airflow-1.10.10-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/174764/Apache-Airflow-1.10.10-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E Mailing List,Vendor Advisory
http://packetstormsecurity.com/files/162908/Apache-Airflow-1.10.10-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/174764/Apache-Airflow-1.10.10-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E Mailing List,Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13927 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-13927, you might also want to check these: