Login Sign Up

CVE-2021-38540

9.8 CRITICAL
Remote Code Execution Authentication Bypass Denial of Service

📋 TL;DR

CVE-2021-38540 is an authentication bypass vulnerability in Apache Airflow's variable import endpoint. Unauthenticated attackers can add or modify Airflow variables used in DAGs, potentially leading to denial of service, information disclosure, or remote code execution. This affects Apache Airflow versions 2.0.0 through 2.1.2.

💻 Affected Systems

Products:
  • Apache Airflow
Versions: >=2.0.0, <2.1.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects default installations with the variable import endpoint enabled.

📦 What is this software?

Airflow by Apache

View all CVEs affecting Airflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution through malicious variable injection leading to complete system compromise.

🟠

Likely Case

Denial of service or information disclosure through variable manipulation.

🟢

If Mitigated

No impact if proper authentication controls are in place.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation possible.
🏢 Internal Only: HIGH - Internal attackers can exploit without credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP requests to unprotected endpoint; exploit tools available in security community.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.3

Vendor Advisory: https://lists.apache.org/thread.html/rac2ed9118f64733e47b4f1e82ddc8c8020774698f13328ca742b03a2%40%3Cannounce.apache.org%3E

Restart Required: Yes

Instructions:

1. Backup your Airflow configuration and database. 2. Upgrade to Airflow 2.1.3 or later using pip: 'pip install --upgrade apache-airflow==2.1.3'. 3. Restart Airflow services. 4. Verify the fix by checking version and testing authentication.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict network access to Airflow web server using firewall rules.

iptables -A INPUT -p tcp --dport 8080 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

Reverse Proxy Authentication

all

Place Airflow behind a reverse proxy with authentication enabled.

# Configure nginx/apache with authentication before Airflow

🧯 If You Can't Patch

  • Implement strict network segmentation and firewall rules to limit access to Airflow web interface.
  • Deploy a web application firewall (WAF) with rules to block unauthenticated requests to variable import endpoints.

🔍 How to Verify

Check if Vulnerable:

Check Airflow version and attempt unauthenticated POST request to /api/v1/variables/import endpoint.

Check Version:

airflow version

Verify Fix Applied:

Verify version is 2.1.3+ and test that unauthenticated requests to variable import endpoint return 401/403.

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated POST requests to /api/v1/variables/import
  • Unexpected variable modifications in Airflow logs

Network Indicators:

  • HTTP POST to /api/v1/variables/import without authentication headers
  • Unusual traffic patterns to Airflow web interface

SIEM Query:

source="airflow" AND (url_path="/api/v1/variables/import" AND NOT user!="*")

📊 Metadata

CVE ID: CVE-2021-38540
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-269
Published: September 9, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38540, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)
CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)
CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)