📦 Airflow

CVE-2023-25754 is a privilege context switching error in Apache Airflow that allows authenticated users to execute arbitrary code with elevated privileges. This affects Apache Airflow installations be...

CVE-2021-38540 is an authentication bypass vulnerability in Apache Airflow's variable import endpoint. Unauthenticated attackers can add or modify Airflow variables used in DAGs, potentially leading t...

CVE-2020-13927 is a critical authentication bypass vulnerability in Apache Airflow's Experimental API that allows unauthenticated remote attackers to execute arbitrary code. It affects Airflow install...

This vulnerability allows DAG authors with existing permissions to manipulate Airflow's database to execute arbitrary code in the web-server context when users view historical task information. This l...

This vulnerability in Apache Airflow exposes sensitive values like passwords and API keys in cleartext in the Rendered Templates UI when template fields exceed maximum length. It affects Airflow users...

Apache Airflow versions before 3.1.6 expose proxy credentials in logs when connections contain proxy URLs with embedded authentication. This allows attackers with log access to steal credentials. All ...

Apache Airflow versions before 2.10.3 contain a vulnerability where sensitive configuration variables (secrets) can be exposed in task logs. This allows unauthorized users who can access logs to poten...

This vulnerability allows authenticated DAG authors in Apache Airflow to craft malicious doc_md parameters that can execute arbitrary code in the scheduler context, bypassing intended security restric...

This vulnerability in Apache Airflow allows authenticated users with limited permissions to access sensitive resources like variables and connections through the UI that they shouldn't have permission...

Apache Airflow and its Celery provider versions 1.10.0-2.6.3 and 3.3.0-3.4.0 log sensitive information in clear text when using rediss, amqp, or rpc protocols as Celery result backends. This exposes c...

This vulnerability in Apache Airflow allows authenticated users with Connection edit privileges to access connection information and abuse the test connection feature, causing denial of service throug...

This session fixation vulnerability in Apache Airflow allows authenticated users to maintain access to the webserver even after their password has been reset by an administrator. The vulnerability per...

This vulnerability allows authenticated users of Apache Airflow's web UI to execute arbitrary operating system commands through improperly sanitized parameters in example DAGs. It affects Apache Airfl...

This vulnerability in Apache Airflow allows authenticated users with DAG view permissions to potentially see sensitive information like secrets when a DAG fails during parsing. The error-reporting UI ...

This CVE describes an information disclosure vulnerability in Apache Airflow where authenticated users with access to specific DAGs can view import errors from other DAGs they shouldn't have access to...

Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw where authenticated users with custom permissions limited to task access can view task logs without proper authorization. This...

This vulnerability in Apache Airflow allows authenticated users with UI access to view secret values in rendered templates due to improper redaction. This exposes sensitive secrets like passwords, API...

This vulnerability allows authenticated API users to execute arbitrary Dag code in the context of the api-server when deployed in environments where Dag files are accessible. It affects Apache Airflow...

This CVE describes an OS command injection vulnerability in Apache Airflow's example_dag_decorator where unvalidated parameters could allow UI users to redirect to malicious servers and execute code o...

This vulnerability allows authenticated users with CREATE privilege but no UPDATE privilege for Pools, Connections, and Variables to modify existing records through the bulk create API with overwrite ...

Apache Airflow 3.0.3 has a security flaw where users with READ permissions can view sensitive connection information through both API and UI interfaces, bypassing intended access controls. This violat...

Apache Airflow versions before 2.10.0 contain a cross-site scripting (XSS) vulnerability in provider documentation links. Malicious providers can execute arbitrary JavaScript when users click on their...

CVE-2024-32077 is a cross-site scripting (XSS) vulnerability in Apache Airflow 2.9.0 that allows authenticated attackers to inject malicious scripts into task instance logs. When viewed by administrat...