CVE-2024-56373 – This vulnerability allows DAG authors with exis... (How to Fix)

Q: What is the severity of CVE-2024-56373?

CVE-2024-56373 has a CVSS score of 8.4 (HIGH). This vulnerability allows DAG authors with existing permissions to manipulate Airflow's database to execute arbitrary code in the web-server context when users view historical task information. This leads to server-side remote code execution. Affected systems are Apache Airflow installations where DAG authors have database access and log template history is enabled.

📋 TL;DR

This vulnerability allows DAG authors with existing permissions to manipulate Airflow's database to execute arbitrary code in the web-server context when users view historical task information. This leads to server-side remote code execution. Affected systems are Apache Airflow installations where DAG authors have database access and log template history is enabled.

💻 Affected Systems

Products:

Apache Airflow

Versions: Versions before 2.11.1 with log template history enabled

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when log template history functionality is enabled. Disabled by default in 2.11.1.

📦 What is this software?

Airflow by Apache

View all CVEs affecting Airflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of the Airflow web server allowing execution of arbitrary commands, data exfiltration, lateral movement, and persistence.

🟠

Likely Case

DAG authors with database access could execute code to escalate privileges, access sensitive data, or disrupt operations.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to authorized DAG authors who would need to bypass additional security layers.

🌐 Internet-Facing: MEDIUM - Requires authenticated DAG author access and specific conditions, but could lead to web server compromise.

🏢 Internal Only: HIGH - Internal DAG authors with database access could exploit this to gain web server privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires DAG author permissions and database manipulation capabilities. Exploit involves manipulating historical log data.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.11.1 (disables feature) or Airflow 3 (with fixed feature)

Vendor Advisory: https://lists.apache.org/thread/2vrmrhcht6g7cp5yjxpnrk2wtrncm6cy

Restart Required: Yes

Instructions:

1. Upgrade to Airflow 2.11.1 to disable vulnerable feature by default. 2. For continued log template history functionality, upgrade to Airflow 3. 3. Restart Airflow services after upgrade.

🔧 Temporary Workarounds

Disable log template history

all

Disable the vulnerable log template history functionality in configuration

Set 'log_template_history_enabled = False' in airflow.cfg

Manual log file modification

all

Manually rename historical log files if needed for viewing pre-template-change logs

Manually rename log files in storage backend as needed

🧯 If You Can't Patch

Restrict DAG author database access to minimum required permissions
Implement strict monitoring of database modifications and web server process execution

🔍 How to Verify

Check if Vulnerable:

Check if log_template_history_enabled is True in airflow.cfg and version is below 2.11.1

Check Version:

airflow version

Verify Fix Applied:

Verify version is 2.11.1+ or log_template_history_enabled is False in configuration

📡 Detection & Monitoring

Log Indicators:

Unusual database modifications to log-related tables
Unexpected process execution from web server context
Suspicious log template changes

Network Indicators:

Unusual outbound connections from web server
Unexpected file transfers from Airflow server

SIEM Query:

source="airflow" AND (event="database_modification" OR event="process_execution") AND user="dag_author"

📊 Metadata

CVE ID: CVE-2024-56373

CVSS v3 Score: 8.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-94

Published: February 24, 2026

Last Updated: February 24, 2026

🔗 References

https://github.com/apache/airflow/pull/61880 Issue Tracking
https://lists.apache.org/thread/2vrmrhcht6g7cp5yjxpnrk2wtrncm6cy Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/02/23/3 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-56373, you might also want to check these: