High severityNVD Advisory· Published Jul 12, 2023· Updated Oct 4, 2024

Apache Airflow: ReDoS via dags function

CVE-2023-36543

Description

Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
apache-airflowPyPI	< 2.6.3	2.6.3

Affected products

osv-coords2 versions
pkg:bitnami/airflow pkg:pypi/apache-airflow
< 2.6.3+ 1 more
- (no CPE)range: < 2.6.3
- (no CPE)range: < 2.6.3
Apache/Airflowcpe-rescue
Range: 0

Patches

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/apache/airflow/pull/32060ghsapatchWEB
github.com/advisories/GHSA-3h4m-m55v-gx4mghsaADVISORY
lists.apache.org/thread/tokfs980504ylgk3cv3hjlnrtbv4tng4ghsavendor-advisoryWEB
nvd.nist.gov/vuln/detail/CVE-2023-36543ghsaADVISORY
github.com/apache/airflow/commit/116e607ddcb32480e57c342f48226545ac6fc315ghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-106.yamlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000