apache-airflow-core

PyPI4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting apache-airflow-corepage 1 of 1

CVE-2026-25917HIGHCVSS 7.2EG 7.2✓ Fixed in 3.2.0
2026-04-18
vulnerable: 3.0.0 ... 3.2.0rc2 (61 versions)
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. U…
CVE-2026-30912HIGHCVSS 7.5EG 7.5✓ Fixed in 3.2.0
2026-04-18
vulnerable: 3.0.0 ... 3.2.0rc2 (61 versions)
In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apa…
CVE-2026-32228HIGHCVSS 7.5EG 7.5✓ Fixed in 3.2.0
2026-04-18
vulnerable: 3.0.0 ... 3.2.0rc2 (53 versions)
UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.
CVE-2026-32690LOWCVSS 3.7EG 3.7✓ Fixed in 3.2.0
2026-04-18
vulnerable: 3.0.0 ... 3.2.0rc2 (53 versions)
Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSO…

Check whether apache-airflow-core is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for apache-airflow-core CVEs against the assets you own.

Start Free Scan →