CVE-2017-17836
Description
In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow. An attacker who has limited access to airflow, whether it be via XSS or by leaving a machine unlocked can exfiltrate all credentials from the system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Apache Airflow 1.8.2 and earlier, an experimental feature leaks authenticated cookies and database passwords, allowing credential exfiltration via XSS or physical access.
Vulnerability
In Apache Airflow 1.8.2 and earlier, an experimental feature exposed authenticated cookies and passwords for databases used by Airflow. The feature displayed these sensitive values in the Airflow web interface, making them accessible to any user or attacker who can view the UI under certain conditions. The affected versions are Apache Airflow 1.8.2 and earlier [2] [3].
Exploitation
An attacker who has limited access to the Airflow system can exploit this vulnerability. This access can be achieved through cross-site scripting (XSS) or by using an unlocked machine that is logged into the Airflow UI. No additional authentication is required beyond the initial access, as the vulnerable feature directly displays the credentials. The attacker simply navigates to the experimental feature's page to view and exfiltrate the exposed cookies and database passwords [2] [3].
Impact
Successful exploitation allows the attacker to exfiltrate all credentials from the system, including authenticated cookies and passwords to databases used by Airflow. This can lead to unauthorized access to the Airflow instance and connected databases, potentially compromising the integrity and confidentiality of workflows and data [2] [3].
Mitigation
Apache Airflow 1.9.0, released after the vulnerability was disclosed, resolves this issue by removing the experimental feature that exposed credentials. Users of affected versions should upgrade to Airflow 1.9.0 or later. No workaround is available for unfixed versions [2] [3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-airflowPyPI | < 1.9.0 | 1.9.0 |
Affected products
2- Apache Software Foundation/Apache Airflowv5Range: Apache Airflow <= 1.8.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-9gqg-3fxr-9hv7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-17836ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2019-149.yamlghsaWEB
- lists.apache.org/thread.html/ade4d54ebf614f68dc81a08891755e60ea58ba88e0209233eeea5f57%40%3Cdev.airflow.apache.org%3Emitrex_refsource_MISC
- lists.apache.org/thread.html/ade4d54ebf614f68dc81a08891755e60ea58ba88e0209233eeea5f57@%3Cdev.airflow.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.