Moderate severityNVD Advisory· Published Mar 14, 2024· Updated Mar 20, 2025
Apache Airflow: Ignored Airflow Permissions
CVE-2024-28746
Description
Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access.
Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-airflowPyPI | >= 2.8.0, < 2.8.3rc1 | 2.8.3rc1 |
Affected products
3- osv-coords2 versions
>= 2.8.0, < 2.8.3+ 1 more
- (no CPE)range: >= 2.8.0, < 2.8.3
- (no CPE)range: >= 2.8.0, < 2.8.3rc1
Patches
Vulnerability mechanics
References
7- github.com/apache/airflow/pull/37881ghsapatchWEB
- github.com/advisories/GHSA-h574-6646-vfxxghsaADVISORY
- lists.apache.org/thread/b4pffc7w7do6qgk4jjbyxvdz5odrvny7ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-28746ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/03/13/5ghsaWEB
- github.com/apache/airflow/commit/89e7f3e7bdf2126bbbcd959dc10d65ef92773ccaghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-46.yamlghsaWEB
News mentions
0No linked articles in our index yet.