Loading...
Loading...
PyPI112 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
vulnerable: 1.10.0 ... 2.6.0rc5 (147 versions)
Task instance details page in the UI is vulnerable to a stored XSS.This issue affects Apache Airflow: before 2.6.0.
vulnerable: 2.5.0 ... 2.6.2rc2 (23 versions)
In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations. This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if `[webserver] expose_config` is s…
vulnerable: 1.10.0 ... 2.6.3rc1 (156 versions)
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected
vulnerable: 1.10.0 ... 2.6.3rc1 (156 versions)
Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected
vulnerable: 1.10.0 ... 2.7.0rc2 (160 versions)
Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exp…
vulnerable: 1.10.0 ... 2.7.0rc2 (160 versions)
Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate vulnerability. The default SSL context with SSL library did not …
vulnerable: 1.10.0 ... 2.6.0rc5 (147 versions)
Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables authenticated user to bypass some of the restrict…
vulnerable: 1.10.0 ... 2.4.3rc1 (127 versions)
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider. Apache Airflow Drill Provider is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a …
vulnerable: 1.10.0 ... 2.7.0rc2 (161 versions)
The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually…
vulnerable: 1.10.0 ... 2.7.1rc2 (163 versions)
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configura…
vulnerable: 1.10.0 ... 2.7.1rc2 (163 versions)
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that o…
vulnerable: 1.10.0 ... 2.7.2rc1 (165 versions)
Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. Users of Apache Airflow are advised to upgrade to …
vulnerable: 1.10.0 ... 2.7.2rc1 (165 versions)
Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dag_ids and the …
vulnerable: 1.10.0 ... 2.7.3rc1 (167 versions)
Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. This is a different issue than CVE-2023-42663 bu…
vulnerable: 1.10.0 ... 2.7.2rc1 (165 versions)
Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs th…
vulnerable: 2.7.0, 2.7.1, 2.7.1rc1, 2.7.1rc2, 2.7.2rc1
Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerability that allows an authenticated user to retrieve sensitive configuration information when the "expose_config" option is set to "non-sensitive-only". The `expose_config` …
vulnerable: 1.10.0 ... 2.7.0rc2 (156 versions)
Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow. Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend Note: the vul…
vulnerable: 2.4.0 ... 2.7.0rc2 (39 versions)
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.4.0 to 2.7.0. Sensitive configuration information has been exposed to authenticated users with the ability…
vulnerable: 1.10.0 ... 2.7.3rc1 (167 versions)
We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DA…
vulnerable: 2.6.0 ... 2.7.3rc1 (21 versions)
Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author to add an unbounded and not-sanitized javascript in the parameter description field of the DAG. This Javascript can be executed on the cl…
vulnerable: 1.10.0 ... 2.8.0rc4 (173 versions)
Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs th…
vulnerable: 2.7.0 ... 2.7.3rc1 (8 versions)
Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the u…
vulnerable: 1.10.0 ... 2.8.0rc4 (173 versions)
Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable. This flaw compromises the integrity of variable management, potentially lea…
vulnerable: 1.10.0 ... 2.8.1rc1 (175 versions)
Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom de…
vulnerable: 1.10.0 ... 2.8.1rc1 (175 versions)
Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user…
vulnerable: 2.3.0 ... 2.6.1rc3 (44 versions)
Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentication, the Airflow worker serializes this configuration file as a dictionary and sends it to the triggerer by storing it in metad…
vulnerable: 1.10.0 ... 2.9.2rc1 (194 versions)
Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive d…
vulnerable: 1.10.0 ... 2.8.2rc3 (179 versions)
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops…
vulnerable: 1.10.0 ... 2.8.2rc3 (179 versions)
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. Users of Apache Airflow are recommended …
vulnerable: 2.8.0 ... 2.8.2rc3 (7 versions)
Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access. …
vulnerable: 2.8.2, 2.8.3, 2.8.3rc1, 2.8.4rc1
Improper Preservation of Permissions vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.8.2 through 2.8.3. Airflow's local file task handler in Airflow incorrectly set permissions for all parent folders of log folder…
vulnerable: 2.7.0 ... 2.9.0rc3 (29 versions)
Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the "configuration" UI page when "non-sensitive-only" was set as "webserver.expose_config" configurati…
vulnerable: 2.9.0b1, 2.9.0b2, 2.9.0rc1, 2.9.0rc2, 2.9.0rc3
Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into the task instance logs. Users are recommended to upgrade to version 2.9.1, which fixes this issue.
vulnerable: 1.10.0 ... 2.9.3rc1 (196 versions)
Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.
vulnerable: 2.4.0 ... 2.9.3rc1 (75 versions)
Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according…
vulnerable: 1.10.0 ... 2.9.3rc1 (200 versions)
Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be i…
Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache Airflow 2.9.3) and FAB 1.2.0 for all Airflow versions. The FAB provider prevented…
vulnerable: 1.10.0 ... 2.9.3rc1 (202 versions)
Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG auth…
Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the …
vulnerable: 1.10.0 ... 2.9.3rc1 (207 versions)
Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables…
vulnerable: 1.10.0 ... 2.9.3rc1 (207 versions)
Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those …
vulnerable: 1.10.0 ... 3.2.0rc2 (281 versions)
The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of…
vulnerable: 3.0.3, 3.0.4rc1, 3.0.4rc2
Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a "write-only" model for sensi…
vulnerable: 3.0.0 ... 3.2.0rc2 (53 versions)
When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at…
vulnerable: 3.0.0 ... 3.1.1rc2 (30 versions)
API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available.
vulnerable: 3.0.0 ... 3.1.1rc2 (30 versions)
User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.
vulnerable: 3.0.0 ... 3.2.0rc2 (53 versions)
Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager co…
vulnerable: 3.1.0 ... 3.1.5rc1 (13 versions)
A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization. Users a…
vulnerable: 1.10.0 ... 2.0.0rc3 (67 versions)
Edge3 Worker RPC RCE on Airflow 2. This issue affects Apache Airflow Providers Edge3: before 2.0.0 - and only if you installed and configured it on Airflow 2. The Edge3 provider support in Airflow 2 has been always development-only and…
vulnerable: 3.0.0 ... 3.1.6rc1 (51 versions)
In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore…
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for apache-airflow CVEs against the assets you own.
Start Free Scan →