4.8

CVE-2026-32794

EPSS 0.03%
Veröffentlicht 30.03.2026 21:43:38
Zuletzt bearbeitet 02.04.2026 20:26:24
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache Airflow Provider for Databricks: TLS Certificate Verification Disabled in Databricks Provider K8s Token Exchange

Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider code did not validate certificates for connections to Databricks back-end which could result in a man-of-a-middle attack that traffic is intercepted and manipulated or credentials exfiltrated w/o notice.

This issue affects Apache Airflow Provider for Databricks: from 1.10.0 before 1.12.0.

Users are recommended to upgrade to version 1.12.0, which fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Airflow Providers Databricks Version >= 1.10.0 < 1.12.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.095

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	4.8	2.2	2.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

https://github.com/apache/airflow/pull/63704

Patch

Issue Tracking

https://lists.apache.org/thread/hn17yqsgsdtl81llvhf80rkp53hnz5nb

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2026/03/30/9

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2026-32794

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-32794

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-32794

EUVD