CVE-2026-33264
- EPSS 1.65%
- Veröffentlicht 07.07.2026 09:20:18
- Zuletzt bearbeitet 08.07.2026 19:37:10
A bug in `BaseSerialization.deserialize()` allowed unrestricted `import_string()` of attacker-controlled class paths when the Scheduler / API Server loaded a serialized DAG: a DAG author could embed a malicious trigger into a DAG to gain remote code ...
CVE-2026-49487
- EPSS 0.44%
- Veröffentlicht 07.07.2026 09:19:36
- Zuletzt bearbeitet 09.07.2026 13:17:08
In Apache Airflow before 3.3.0, the REST API task-instance detail and list endpoints returned a deferred task's trigger kwargs without masking. When a deferred operator passed a secret (for example a provider API key) into its trigger, any authentica...
CVE-2026-48828
- EPSS 0.66%
- Veröffentlicht 07.07.2026 09:18:53
- Zuletzt bearbeitet 08.07.2026 19:26:11
The Bulk Variables API in Apache Airflow called the redactor without passing the variable's key, so the key-based `should_hide_value_for_key` check (which triggers on secret-suffixed key names like `*_password` / `*_token` / `*_secret`) could not fir...
CVE-2026-49296
- EPSS 0.6%
- Veröffentlicht 07.07.2026 09:18:12
- Zuletzt bearbeitet 08.07.2026 20:04:17
Before apache-airflow 3.3.0, a user authorized to read one Dag could disclose the source of other Dags co-located in the same source file. `GET /api/v2/dagSources/{dag_id}` — and the equivalent Dag-source view in the UI — returned the entire source f...
CVE-2026-48891
- EPSS 0.36%
- Veröffentlicht 07.07.2026 09:17:28
- Zuletzt bearbeitet 09.07.2026 13:16:42
A bug in Apache Airflow's `/ui/dependencies` scheduling graph endpoint applied the caller's readable-Dag filter to the top-level serialized Dag key but still emitted referenced Dag IDs through the `dep.source` and `dep.target` fields of trigger / sen...
CVE-2026-48892
- EPSS 0.44%
- Veröffentlicht 07.07.2026 09:16:26
- Zuletzt bearbeitet 09.07.2026 13:16:57
The Config API in Apache Airflow surfaced per-key secrets-backend overrides (environment variables like `AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID` and `AIRFLOW__WORKERS__SECRETS_BACKEND_KWARG__SECRET_ID`) as synthetic config options whose option na...
CVE-2026-46764
- EPSS 0.35%
- Veröffentlicht 01.06.2026 09:16:20
- Zuletzt bearbeitet 02.06.2026 17:16:35
The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit-log rows directly by numeric ID after only the generic Audit Log permission check, while the collection endpoint `GET /api/v2/eventLogs` applied per-...
CVE-2026-48726
- EPSS 0.37%
- Veröffentlicht 01.06.2026 09:16:20
- Zuletzt bearbeitet 03.06.2026 02:06:43
A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying `revoke_token...
CVE-2026-49267
- EPSS 0.19%
- Veröffentlicht 01.06.2026 09:16:20
- Zuletzt bearbeitet 03.06.2026 02:06:28
Apache Airflow's EmailOperator and the underlying `airflow.utils.email` helpers established SMTP STARTTLS connections without verifying the remote certificate when the deployment used `[email] smtp_starttls=True` without `[email] smtp_ssl`. An attack...
CVE-2026-49298
- EPSS 0.49%
- Veröffentlicht 01.06.2026 09:16:20
- Zuletzt bearbeitet 03.06.2026 02:06:10
A bug in Apache Airflow's KubernetesExecutor caused JWT tokens used by worker pods to authenticate against the Execution API to be passed to the worker container as command-line arguments visible in the pod spec. An authenticated UI/API user with Kub...