PyPI package
apache-airflow
pkg:pypi/apache-airflow
Vulnerabilities (111)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-40690 | Med | 4.3 | < 3.2.1rc1 | 3.2.1rc1 | Apr 24, 2026 | The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized sco | |
| CVE-2026-38743 | Med | 4.3 | < 3.2.1rc1 | 3.2.1rc1 | Apr 24, 2026 | The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts (including their request parameters) and full TaskIn | |
| CVE-2026-31987 | Hig | 7.5 | >= 3.0.0, < 3.2.0 | 3.2.0 | Apr 16, 2026 | JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue. | |
| CVE-2026-25219 | Med | 6.5 | < 3.1.8 | 3.1.8 | Apr 15, 2026 | The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidentaly logged to logs, those values could be s | |
| CVE-2025-54550 | Hig | 8.1 | < 3.2.0 | 3.2.0 | Apr 15, 2026 | The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of code on the worker. Since the UI users ar | |
| CVE-2026-33858 | Hig | 8.8 | >= 3.1.8, < 3.2.0 | 3.2.0 | Apr 13, 2026 | Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apach | |
| CVE-2025-66236 | Hig | 7.5 | < 3.2.0 | 3.2.0 | Apr 13, 2026 | Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enoug | |
| CVE-2025-57735 | Cri | 9.1 | >= 3.0.0, < 3.2.0 | 3.2.0 | Apr 9, 2026 | When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about th | |
| CVE-2026-34538 | Med | 6.5 | >= 3.0.0, < 3.2.0 | 3.2.0 | Apr 9, 2026 | Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with | |
| CVE-2026-32794 | Med | 4.8 | >= 1.10.0, < 1.12.0 | 1.12.0 | Mar 30, 2026 | Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider code did not validate certificates for connections to Databricks back-end which could result in a man-of-a-middle attack that traffic is intercepted and manipulated or credentials ex | |
| CVE-2026-28563 | — | >= 3.0.0, < 3.1.8 | 3.1.8 | Mar 17, 2026 | Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view. Users | ||
| CVE-2026-26929 | — | >= 3.0.0, < 3.1.8 | 3.1.8 | Mar 17, 2026 | Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to "~" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access | ||
| CVE-2026-30911 | — | >= 3.0.0, < 3.1.8 | 3.1.8 | Mar 17, 2026 | Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance. Users are recom | ||
| CVE-2026-28779 | — | >= 3.0.0, < 3.1.8 | 3.1.8 | Mar 17, 2026 | Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regardless of the configured [webserver] base_url or [api] base_url. This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP reques | ||
| CVE-2025-27555 | — | < 2.11.1 | 2.11.1 | Feb 24, 2026 | Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audi | ||
| CVE-2024-56373 | — | < 2.11.1 | 2.11.1 | Feb 24, 2026 | DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server ( | ||
| CVE-2025-65995 | — | < 2.11.1 | 2.11.1 | Feb 21, 2026 | When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view | ||
| CVE-2026-22922 | — | >= 3.1.0, < 3.1.7 | 3.1.7 | Feb 9, 2026 | Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access. Users are recommended to upgrade to Apache Airflow 3.1.7 or later, whi | ||
| CVE-2026-24098 | — | < 3.1.7 | 3.1.7 | Feb 9, 2026 | Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves thi | ||
| CVE-2025-68675 | — | >= 3.0.0b1, < 3.1.6 | 3.1.6 | Jan 16, 2026 | In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log out |
- affected < 3.2.1rc1fixed 3.2.1rc1
The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized sco
- affected < 3.2.1rc1fixed 3.2.1rc1
The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts (including their request parameters) and full TaskIn
- affected >= 3.0.0, < 3.2.0fixed 3.2.0
JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue.
- affected < 3.1.8fixed 3.1.8
The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidentaly logged to logs, those values could be s
- affected < 3.2.0fixed 3.2.0
The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of code on the worker. Since the UI users ar
- affected >= 3.1.8, < 3.2.0fixed 3.2.0
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apach
- affected < 3.2.0fixed 3.2.0
Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enoug
- affected >= 3.0.0, < 3.2.0fixed 3.2.0
When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about th
- affected >= 3.0.0, < 3.2.0fixed 3.2.0
Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with
- affected >= 1.10.0, < 1.12.0fixed 1.12.0
Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider code did not validate certificates for connections to Databricks back-end which could result in a man-of-a-middle attack that traffic is intercepted and manipulated or credentials ex
- CVE-2026-28563Mar 17, 2026affected >= 3.0.0, < 3.1.8fixed 3.1.8
Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view. Users
- CVE-2026-26929Mar 17, 2026affected >= 3.0.0, < 3.1.8fixed 3.1.8
Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to "~" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access
- CVE-2026-30911Mar 17, 2026affected >= 3.0.0, < 3.1.8fixed 3.1.8
Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance. Users are recom
- CVE-2026-28779Mar 17, 2026affected >= 3.0.0, < 3.1.8fixed 3.1.8
Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regardless of the configured [webserver] base_url or [api] base_url. This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP reques
- CVE-2025-27555Feb 24, 2026affected < 2.11.1fixed 2.11.1
Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audi
- CVE-2024-56373Feb 24, 2026affected < 2.11.1fixed 2.11.1
DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (
- CVE-2025-65995Feb 21, 2026affected < 2.11.1fixed 2.11.1
When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view
- CVE-2026-22922Feb 9, 2026affected >= 3.1.0, < 3.1.7fixed 3.1.7
Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access. Users are recommended to upgrade to Apache Airflow 3.1.7 or later, whi
- CVE-2026-24098Feb 9, 2026affected < 3.1.7fixed 3.1.7
Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves thi
- CVE-2025-68675Jan 16, 2026affected >= 3.0.0b1, < 3.1.6fixed 3.1.6
In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log out
Page 1 of 6