PyPI package
apache-airflow-core
pkg:pypi/apache-airflow-core
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-32690 | Low | 3.7 | >= 3.0.0, < 3.2.0 | 3.2.0 | Apr 18, 2026 | Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise p | |
| CVE-2026-32228 | Hig | 7.5 | >= 3.0.0, < 3.2.0 | 3.2.0 | Apr 18, 2026 | UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue. | |
| CVE-2026-30912 | Hig | 7.5 | < 3.2.0 | 3.2.0 | Apr 18, 2026 | In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue. | |
| CVE-2026-25917 | Hig | 7.2 | < 3.2.0 | 3.2.0 | Apr 18, 2026 | Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache |
- affected >= 3.0.0, < 3.2.0fixed 3.2.0
Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise p
- affected >= 3.0.0, < 3.2.0fixed 3.2.0
UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.
- affected < 3.2.0fixed 3.2.0
In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.
- affected < 3.2.0fixed 3.2.0
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache