CVE-2024-28746 – This vulnerability in Apache Airflow allows aut... (How to Fix)

Q: What is the severity of CVE-2024-28746?

CVE-2024-28746 has a CVSS score of 8.1 (HIGH). This vulnerability in Apache Airflow allows authenticated users with limited permissions to access sensitive resources like variables and connections through the UI that they shouldn't have permission to view. It affects Airflow versions 2.8.0 through 2.8.2. This is an authorization bypass issue that could lead to information disclosure.

📋 TL;DR

This vulnerability in Apache Airflow allows authenticated users with limited permissions to access sensitive resources like variables and connections through the UI that they shouldn't have permission to view. It affects Airflow versions 2.8.0 through 2.8.2. This is an authorization bypass issue that could lead to information disclosure.

💻 Affected Systems

Products:

Apache Airflow

Versions: 2.8.0 through 2.8.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments using vulnerable versions regardless of configuration.

📦 What is this software?

Airflow by Apache

View all CVEs affecting Airflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated low-privilege user could access sensitive configuration data like database credentials, API keys, or other secrets stored in Airflow variables and connections, potentially leading to full system compromise.

🟠

Likely Case

Internal users with basic permissions could access sensitive configuration data they shouldn't see, leading to information disclosure and potential credential theft.

🟢

If Mitigated

With proper network segmentation and access controls, the impact is limited to unauthorized viewing of configuration data within the Airflow environment.

🌐 Internet-Facing: MEDIUM - If Airflow UI is exposed to the internet, attackers could exploit this after obtaining basic credentials.

🏢 Internal Only: HIGH - Internal users with any level of access could exploit this to access sensitive configuration data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated access but minimal technical skill to exploit through the UI.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.8.3 or newer

Vendor Advisory: https://lists.apache.org/thread/b4pffc7w7do6qgk4jjbyxvdz5odrvny7

Restart Required: Yes

Instructions:

1. Backup your Airflow deployment. 2. Upgrade to Airflow 2.8.3 or newer using pip: 'pip install --upgrade apache-airflow==2.8.3'. 3. Restart all Airflow components (webserver, scheduler, workers). 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Restrict UI Access

all

Limit access to the Airflow UI to only trusted administrators until patching can occur.

Configure firewall rules or reverse proxy to restrict UI access
Use network segmentation to isolate Airflow UI

Review and Rotate Secrets

all

Audit and rotate any sensitive credentials stored in Airflow variables and connections.

Review Airflow variables and connections for sensitive data
Rotate any exposed credentials or API keys

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the Airflow UI
Regularly audit and rotate all credentials stored in Airflow variables and connections

🔍 How to Verify

Check if Vulnerable:

Check Airflow version: if between 2.8.0 and 2.8.2 inclusive, you are vulnerable.

Check Version:

airflow version

Verify Fix Applied:

Verify Airflow version is 2.8.3 or newer and test that low-privilege users cannot access restricted resources.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to variables or connections endpoints
Users accessing resources outside their permission scope

Network Indicators:

Unusual patterns of requests to Airflow UI from low-privilege users

SIEM Query:

source="airflow" AND (uri_path="/variable" OR uri_path="/connection") AND user_role!="Admin"

📊 Metadata

CVE ID: CVE-2024-28746

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-281

Published: March 14, 2024

Last Updated: March 20, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2024/03/13/5 Mailing List,Third Party Advisory
https://github.com/apache/airflow/pull/37881 Patch
https://lists.apache.org/thread/b4pffc7w7do6qgk4jjbyxvdz5odrvny7 Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/03/13/5 Mailing List,Third Party Advisory
https://github.com/apache/airflow/pull/37881 Patch
https://lists.apache.org/thread/b4pffc7w7do6qgk4jjbyxvdz5odrvny7 Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28746, you might also want to check these: