CVE-2023-46215 – Apache Airflow and its Celery provider versions... (How to Fix)

Q: What is the severity of CVE-2023-46215?

CVE-2023-46215 has a CVSS score of 7.5 (HIGH). Apache Airflow and its Celery provider versions 1.10.0-2.6.3 and 3.3.0-3.4.0 log sensitive information in clear text when using rediss, amqp, or rpc protocols as Celery result backends. This exposes credentials and other secrets to anyone with log access. Organizations using affected versions with these protocols are vulnerable.

📋 TL;DR

Apache Airflow and its Celery provider versions 1.10.0-2.6.3 and 3.3.0-3.4.0 log sensitive information in clear text when using rediss, amqp, or rpc protocols as Celery result backends. This exposes credentials and other secrets to anyone with log access. Organizations using affected versions with these protocols are vulnerable.

💻 Affected Systems

Products:

Apache Airflow
Apache Airflow Celery provider

Versions: Apache Airflow: 1.10.0 through 2.6.3; Apache Airflow Celery provider: 3.3.0 through 3.4.0

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using rediss, amqp, or rpc protocols as Celery result backends. Other configurations are not affected.

📦 What is this software?

Airflow by Apache

View all CVEs affecting Airflow →

Airflow Celery Provider by Apache

View all CVEs affecting Airflow Celery Provider →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with log access obtain database credentials, API keys, or other secrets leading to full system compromise, data exfiltration, or lateral movement.

🟠

Likely Case

Internal users or attackers with log access discover credentials, potentially leading to unauthorized access to connected systems.

🟢

If Mitigated

With proper log access controls and monitoring, impact is limited to authorized personnel only, though secrets remain exposed in logs.

🌐 Internet-Facing: MEDIUM - If logs are exposed via web interfaces or misconfigured logging systems, external attackers could access sensitive information.

🏢 Internal Only: HIGH - Internal users with log access can extract credentials, posing significant insider threat and privilege escalation risks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to log files, which typically requires some level of system access or misconfiguration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache Airflow 2.7.0 and Apache Airflow Celery provider 3.4.1

Vendor Advisory: https://lists.apache.org/thread/wm1jfmks7r6m7bj0mq4lmw3998svn46n

Restart Required: Yes

Instructions:

1. Upgrade Apache Airflow to version 2.7.0 or later. 2. Upgrade Apache Airflow Celery provider to version 3.4.1 or later. 3. Restart all Airflow services. 4. Verify logs no longer contain sensitive information.

🔧 Temporary Workarounds

Disable vulnerable protocols

all

Switch from rediss, amqp, or rpc protocols to alternative Celery result backends like database or Redis without SSL.

Modify airflow.cfg: result_backend = db+postgresql://... or redis://...

Implement log filtering

all

Configure log processors to redact sensitive patterns before writing to log files.

Implement custom logging filter in Airflow to mask credentials in log messages

🧯 If You Can't Patch

Restrict log file access to only essential personnel using file permissions and access controls.
Implement continuous monitoring of log files for unauthorized access attempts and credential extraction patterns.

🔍 How to Verify

Check if Vulnerable:

Check if using rediss, amqp, or rpc protocols as Celery result backend in airflow.cfg and verify Airflow/Celery provider versions are in affected ranges.

Check Version:

airflow version && pip show apache-airflow-providers-celery | grep Version

Verify Fix Applied:

After upgrade, check logs for any remaining clear-text credentials and verify versions with 'airflow version' and 'pip show apache-airflow-providers-celery'.

📡 Detection & Monitoring

Log Indicators:

Clear-text passwords, API keys, or connection strings in Airflow logs, especially in result backend operations

Network Indicators:

Unusual access patterns to log files or logging systems

SIEM Query:

source="airflow.log" AND ("password=" OR "api_key=" OR "secret=" OR "credential=")

📊 Metadata

CVE ID: CVE-2023-46215

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-532

Published: October 28, 2023

Last Updated: June 12, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2023/10/28/1 Mailing List,Third Party Advisory
https://github.com/apache/airflow/pull/34954 Patch
https://lists.apache.org/thread/wm1jfmks7r6m7bj0mq4lmw3998svn46n Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2023/10/28/1 Mailing List,Third Party Advisory
https://github.com/apache/airflow/pull/34954 Patch
https://lists.apache.org/thread/wm1jfmks7r6m7bj0mq4lmw3998svn46n Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46215, you might also want to check these: