Apache Airflow Hive Provider Beeline RCE with Principal
Description
Improper input validation in Apache Airflow Hive Provider before 6.1.1 allows RCE via the principal parameter when an attacker can modify connection details.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper input validation in Apache Airflow Hive Provider before 6.1.1 allows RCE via the principal parameter when an attacker can modify connection details.
Vulnerability
Overview
CVE-2023-35797 is an improper input validation vulnerability in the Apache Airflow Hive Provider before version 6.1.1. The root cause is that the principal parameter used in JDBC connection strings is not sanitized, allowing an attacker to inject semicolons and break out of the intended connection string structure [2][4].
Exploitation
Prerequisites
Exploitation requires the attacker to have access to modify Airflow connection details (e.g., administrative privileges on connections). By setting a malicious principal value containing semicolons, the attacker can inject arbitrary JDBC options or commands into the beeline command line [2].
Impact
Successful exploitation leads to remote code execution (RCE) on the Airflow worker that executes the Hive hook. This can compromise the entire Airflow environment and any systems accessible from that worker [2].
Mitigation
The vulnerability is fixed in Apache Airflow Hive Provider version 6.1.1, which adds a runtime check to reject principal values containing semicolons [4]. Users should update to this version or later. Note that a related issue (CVE-2023-37415) involving the proxy_user parameter was subsequently patched in version 6.1.2 [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-airflow-providers-apache-hivePyPI | < 6.1.1 | 6.1.1 |
Affected products
2- Range: 0
Patches
16724eeb6210dSanitize beeline principal parameter (#31983)
2 files changed · +13 −2
airflow/providers/apache/hive/hooks/hive.py+2 −2 modified@@ -150,9 +150,9 @@ def _prepare_cli_cmd(self) -> list[Any]: template = conn.extra_dejson.get("principal", "hive/_HOST@EXAMPLE.COM") if "_HOST" in template: template = utils.replace_hostname_pattern(utils.get_components(template)) - proxy_user = self._get_proxy_user() - + if ";" in template: + raise RuntimeError("The principal should not contain the ';' character") jdbc_url += f";principal={template};{proxy_user}" elif self.auth: jdbc_url += ";auth=" + self.auth
tests/providers/apache/hive/hooks/test_hive.py+11 −0 modified@@ -891,3 +891,14 @@ def test_get_proxy_user_value(self): # Verify assert "hive.server2.proxy.user=a_user_proxy" in result[2] + + def test_get_wrong_principal(self): + hook = MockHiveCliHook() + returner = mock.MagicMock() + returner.extra_dejson = {"principal": "principal with ; semicolon"} + hook.use_beeline = True + hook.conn = returner + + # Run + with pytest.raises(RuntimeError, match="The principal should not contain the ';' character"): + hook._prepare_cli_cmd()
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/apache/airflow/pull/31983ghsapatchWEB
- github.com/advisories/GHSA-hg6c-qqcm-r79rghsaADVISORY
- lists.apache.org/thread/30y19ok07fw52x5hnkbhwqo3ho0wwc1yghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-35797ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/07/12/3ghsaWEB
- github.com/apache/airflow/commit/6724eeb6210d5965937eaf9dae3e476eb30f8268ghsaWEB
News mentions
0No linked articles in our index yet.