Bitnami package
airflow
pkg:bitnami/airflow
Vulnerabilities (109)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-65995 | — | < 2.11.1 | 2.11.1 | Feb 21, 2026 | When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view | ||
| CVE-2026-22922 | — | >= 3.1.0, < 3.1.7 | 3.1.7 | Feb 9, 2026 | Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access. Users are recommended to upgrade to Apache Airflow 3.1.7 or later, whi | ||
| CVE-2026-24098 | — | < 3.1.7 | 3.1.7 | Feb 9, 2026 | Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves thi | ||
| CVE-2025-68675 | — | < 3.1.6 | 3.1.6 | Jan 16, 2026 | In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log out | ||
| CVE-2025-68438 | — | >= 3.1.0, < 3.1.6 | 3.1.6 | Jan 16, 2026 | In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instanc | ||
| CVE-2025-66388 | — | >= 3.1.0, < 3.1.4 | 3.1.4 | Dec 15, 2025 | A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization. Users are recommended to upgrade to version 3.1.4 | ||
| CVE-2025-54941 | — | >= 3.0.0, < 3.0.5 | 3.0.5 | Oct 30, 2025 | An example dag `example_dag_decorator` had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production (not default) or the example dag code copied | ||
| CVE-2025-62402 | — | >= 3.0.0, < 3.1.1 | 3.1.1 | Oct 30, 2025 | API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available. | ||
| CVE-2025-62503 | — | >= 3.0.0, < 3.1.1 | 3.1.1 | Oct 30, 2025 | User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action. | ||
| CVE-2025-54831 | — | >= 3.0.3, < 3.0.4 | 3.0.4 | Sep 26, 2025 | Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a "write-only" model for sensitive values. In Airflow 3.0.3, this mod | ||
| CVE-2024-45784 | — | < 2.10.3 | 2.10.3 | Nov 15, 2024 | Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these l | ||
| CVE-2024-50378 | — | < 2.10.3 | 2.10.3 | Nov 8, 2024 | Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and we | ||
| CVE-2024-45034 | — | < 2.10.1 | 2.10.1 | Sep 7, 2024 | Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. Users are advised to upgrade to versi | ||
| CVE-2024-45498 | — | >= 2.10.0, < 2.10.1 | 2.10.1 | Sep 7, 2024 | Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you | ||
| CVE-2024-41937 | — | < 2.10.0 | 2.10.0 | Aug 21, 2024 | Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user t | ||
| CVE-2024-39877 | — | >= 2.4.0, < 2.9.3 | 2.9.3 | Jul 17, 2024 | Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users sho | ||
| CVE-2024-39863 | — | < 2.9.3 | 2.9.3 | Jul 17, 2024 | Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue. | ||
| CVE-2024-25142 | — | < 2.9.2 | 2.9.2 | Jun 14, 2024 | Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser. This i | ||
| CVE-2024-32077 | — | >= 2.9.0, < 2.9.1 | 2.9.1 | May 14, 2024 | Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into the task instance logs. Users are recommended to upgrade to version 2.9.1, which fixes this issue. | ||
| CVE-2024-31869 | — | >= 2.7.0, < 2.9.0 | 2.9.0 | Apr 18, 2024 | Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the "configuration" UI page when "non-sensitive-only" was set as "webserver.expose_config" configuration (The celery provider is the only commun |
- CVE-2025-65995Feb 21, 2026affected < 2.11.1fixed 2.11.1
When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view
- CVE-2026-22922Feb 9, 2026affected >= 3.1.0, < 3.1.7fixed 3.1.7
Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access. Users are recommended to upgrade to Apache Airflow 3.1.7 or later, whi
- CVE-2026-24098Feb 9, 2026affected < 3.1.7fixed 3.1.7
Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves thi
- CVE-2025-68675Jan 16, 2026affected < 3.1.6fixed 3.1.6
In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log out
- CVE-2025-68438Jan 16, 2026affected >= 3.1.0, < 3.1.6fixed 3.1.6
In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instanc
- CVE-2025-66388Dec 15, 2025affected >= 3.1.0, < 3.1.4fixed 3.1.4
A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization. Users are recommended to upgrade to version 3.1.4
- CVE-2025-54941Oct 30, 2025affected >= 3.0.0, < 3.0.5fixed 3.0.5
An example dag `example_dag_decorator` had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production (not default) or the example dag code copied
- CVE-2025-62402Oct 30, 2025affected >= 3.0.0, < 3.1.1fixed 3.1.1
API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available.
- CVE-2025-62503Oct 30, 2025affected >= 3.0.0, < 3.1.1fixed 3.1.1
User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.
- CVE-2025-54831Sep 26, 2025affected >= 3.0.3, < 3.0.4fixed 3.0.4
Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a "write-only" model for sensitive values. In Airflow 3.0.3, this mod
- CVE-2024-45784Nov 15, 2024affected < 2.10.3fixed 2.10.3
Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these l
- CVE-2024-50378Nov 8, 2024affected < 2.10.3fixed 2.10.3
Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and we
- CVE-2024-45034Sep 7, 2024affected < 2.10.1fixed 2.10.1
Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. Users are advised to upgrade to versi
- CVE-2024-45498Sep 7, 2024affected >= 2.10.0, < 2.10.1fixed 2.10.1
Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you
- CVE-2024-41937Aug 21, 2024affected < 2.10.0fixed 2.10.0
Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user t
- CVE-2024-39877Jul 17, 2024affected >= 2.4.0, < 2.9.3fixed 2.9.3
Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users sho
- CVE-2024-39863Jul 17, 2024affected < 2.9.3fixed 2.9.3
Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.
- CVE-2024-25142Jun 14, 2024affected < 2.9.2fixed 2.9.2
Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser. This i
- CVE-2024-32077May 14, 2024affected >= 2.9.0, < 2.9.1fixed 2.9.1
Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into the task instance logs. Users are recommended to upgrade to version 2.9.1, which fixes this issue.
- CVE-2024-31869Apr 18, 2024affected >= 2.7.0, < 2.9.0fixed 2.9.0
Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the "configuration" UI page when "non-sensitive-only" was set as "webserver.expose_config" configuration (The celery provider is the only commun
Page 2 of 6