VYPR

Apache Airflow Providers Keycloak

by Apache

Source repositories

CVEs (30)

  • CVE-2026-40948MedApr 18, 2026
    risk 0.28cvss 5.4epss 0.00

    The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted…

  • CVE-2026-42526MedMay 19, 2026
    risk 0.27cvss 5.3epss 0.00

    In the AWS Secrets Manager and SSM Parameter Store secrets backends of `apache-airflow-providers-amazon` prior to 9.28.0, the team-scoping logic could resolve a `conn_id` containing a `/` (e.g. `"my_team/conn"`) to the same path as another team's team-scoped secret when the…

  • CVE-2026-25604Mar 9, 2026
    risk 0.00cvss epss 0.00

    In AWS Auth manager, the origin of the SAML authentication has been used as provided by the client and not verified against the actual instance URL.  This allowed to gain access to different instances with potentially different access controls by reusing SAML response from…

  • CVE-2025-69219Mar 9, 2026
    risk 0.00cvss epss 0.01

    A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making…

  • CVE-2025-27018Mar 19, 2025
    risk 0.00cvss epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider. When user triggered a DAG with dump_sql or load_sql functions they could pass a table parameter from a UI, that could cause SQL injection by…

  • CVE-2024-45033Jan 8, 2025
    risk 0.00cvss epss 0.01

    Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider. This issue affects Apache Airflow Fab Provider: before 1.5.2. When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session…

  • CVE-2024-42447Aug 5, 2024
    risk 0.00cvss epss 0.01

    Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache Airflow 2.9.3) and FAB 1.2.0 for all Airflow versions. The FAB provider prevented the user from logging out.   * FAB…

  • CVE-2024-29733Apr 21, 2024
    risk 0.00cvss epss 0.01

    Improper Certificate Validation vulnerability in Apache Airflow FTP Provider. The FTP hook lacks complete certificate validation in FTP_TLS connections, which can potentially be leveraged. Implementing proper certificate validation by passing…

  • CVE-2024-25141Feb 20, 2024
    risk 0.00cvss epss 0.01

    When ssl was enabled for Mongo Hook, default settings included "allow_insecure" which caused that certificates were not validated. This was unexpected and undocumented. Users are recommended to upgrade to version 4.0.0, which fixes this issue.

  • CVE-2023-41267Sep 14, 2023
    risk 0.00cvss epss 0.00

    In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentation info pointed users to an install incorrect pip package. As this package name was unclaimed, in theory, an attacker could claim this package and provide code that would be executed when this package…

  • CVE-2023-40195Aug 28, 2023
    risk 0.00cvss epss 0.01

    Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow Spark Provider. When the Apache Spark provider is installed on an Airflow deployment, an Airflow user that is authorized to…

  • CVE-2023-27604Aug 28, 2023
    risk 0.00cvss epss 0.01

    Apache Airflow Sqoop Provider, versions before 4.0.0, is affected by a vulnerability that allows an attacker pass parameters with the connections, which makes it possible to implement RCE attacks via ‘sqoop import --connect’, obtain airflow server permissions, etc. The…

  • CVE-2023-39441Aug 23, 2023
    risk 0.00cvss epss 0.01

    Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate vulnerability. The default SSL context with SSL library did not check a server's X.509 certificate. …

  • CVE-2023-40272Aug 17, 2023
    risk 0.00cvss epss 0.02

    Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection giving an opportunity to read files on the Airflow server. It is recommended to upgrade to a version that…

  • CVE-2023-39553Aug 11, 2023
    risk 0.00cvss epss 0.02

    Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider. Apache Airflow Drill Provider is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection with DrillHook giving an…

  • CVE-2023-37415Jul 13, 2023
    risk 0.00cvss epss 0.01

    Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider. Patching on top of CVE-2023-35797 Before 6.1.2 the proxy_user option can also inject semicolon. This issue affects Apache Airflow Apache Hive Provider: before 6.1.2. …

  • CVE-2023-35797Jul 3, 2023
    risk 0.00cvss epss 0.02

    Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Hive Provider. This issue affects Apache Airflow Apache Hive Provider: before 6.1.1. Before version 6.1.1 it was possible to bypass the security check to RCE via principal parameter. For this…

  • CVE-2023-22886Jun 29, 2023
    risk 0.00cvss epss 0.02

    Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow JDBC Provider. Airflow JDBC Provider Connection’s [Connection URL] parameters had no restrictions, which made it possible to implement RCE attacks via different type JDBC drivers, obtain…

  • CVE-2023-35798Jun 27, 2023
    risk 0.00cvss epss 0.01

    Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to…

  • CVE-2023-28710Apr 7, 2023
    risk 0.00cvss epss 0.02

    Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Spark Provider.This issue affects Apache Airflow Spark Provider: before 4.0.1.

Page 1 of 2