CVE-2026-42360
- EPSS 0.34%
- Veröffentlicht 01.06.2026 09:16:19
- Zuletzt bearbeitet 01.06.2026 17:06:22
A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. nested `password` / `token` / `secret` / `api_key` keys inside a JSON template structure) to be bypassed when the rendered field exceeded `[core] max...
CVE-2026-45360
- EPSS 0.65%
- Veröffentlicht 01.06.2026 09:16:19
- Zuletzt bearbeitet 03.06.2026 02:06:59
Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gat...
CVE-2026-45426
- EPSS 0.34%
- Veröffentlicht 01.06.2026 09:16:19
- Zuletzt bearbeitet 01.06.2026 18:25:06
Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at least one Dag. Apache Airflow's Log server authorized JWT tokens against Dag IDs by applying Python's `str.lstrip()` to the ...
CVE-2026-40961
- EPSS 0.65%
- Veröffentlicht 01.06.2026 09:16:18
- Zuletzt bearbeitet 02.06.2026 18:49:33
A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that bypassed the `is_safe_url` check, enabling redirection from a trusted Airflow domain to an attacker-controlled origin. Users are advised to upgrade to ...
CVE-2026-40963
- EPSS 0.46%
- Veröffentlicht 01.06.2026 09:16:18
- Zuletzt bearbeitet 01.06.2026 17:06:48
The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate l...
CVE-2026-41014
- EPSS 0.35%
- Veröffentlicht 01.06.2026 09:16:18
- Zuletzt bearbeitet 02.06.2026 18:49:24
The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and ...
CVE-2026-41017
- EPSS 0.27%
- Veröffentlicht 01.06.2026 09:16:18
- Zuletzt bearbeitet 02.06.2026 17:16:31
Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. nginx / Envoy / a managed load balancer that terminates TLS and f...
CVE-2026-41084
- EPSS 0.46%
- Veröffentlicht 01.06.2026 09:16:18
- Zuletzt bearbeitet 02.06.2026 18:49:13
A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances`) evaluated authorization against the `dag_id` resolved from the URL path while operating on the `dag_id` / `dag_run_id` extract...
CVE-2026-42252
- EPSS 0.37%
- Veröffentlicht 01.06.2026 09:16:18
- Zuletzt bearbeitet 02.06.2026 18:48:48
Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when triggering Dags") showed a verbatim `BashOperator(bash_command="echo value: {{ dag_run.conf['conf1'] }}")` example without any quoting / sanitization wa...
CVE-2026-42358
- EPSS 0.34%
- Veröffentlicht 01.06.2026 09:16:18
- Zuletzt bearbeitet 02.06.2026 17:16:32
A bug in Apache Airflow's Variable response masker caused nested-key redaction (triggered by secret-suffixed key names like `password`, `token`, `secret`, `api_key`) to be bypassed when the JSON value's nesting depth exceeded the shared secrets maske...