Apache

Airflow

145 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.55%
  • Veröffentlicht 01.06.2026 09:16:18
  • Zuletzt bearbeitet 03.06.2026 02:07:22

A bug in Apache Airflow's XCom PATCH endpoint `PATCH /api/v2/xcomEntries/{key}` allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names (e.g. `return_value`) that the matching POST endpoin...

  • EPSS 0.67%
  • Veröffentlicht 01.06.2026 09:16:17
  • Zuletzt bearbeitet 02.06.2026 18:49:39

A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack — e.g. `/etc/passwd` or `airflow.cfg`) or (b) supply a `task_id` containing `..` sequen...

  • EPSS 0.41%
  • Veröffentlicht 01.06.2026 06:51:41
  • Zuletzt bearbeitet 01.06.2026 17:08:11

A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenticated UI/API user with Connection-read permission to retrieve secrets stored in a Connection's `extra` JSON blob under field names not prese...

Medienbericht
  • EPSS 0.16%
  • Veröffentlicht 19.05.2026 19:19:00
  • Zuletzt bearbeitet 02.07.2026 16:37:59

JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Ta...

  • EPSS 0.27%
  • Veröffentlicht 30.04.2026 09:09:45
  • Zuletzt bearbeitet 01.05.2026 17:54:49

Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could presen...

  • EPSS 0.35%
  • Veröffentlicht 24.04.2026 12:36:40
  • Zuletzt bearbeitet 27.04.2026 12:24:28

The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts (including their reque...

  • EPSS 0.35%
  • Veröffentlicht 24.04.2026 12:35:33
  • Zuletzt bearbeitet 27.04.2026 12:24:56

The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and asset...

  • EPSS 0.42%
  • Veröffentlicht 18.04.2026 06:22:26
  • Zuletzt bearbeitet 21.04.2026 14:41:08

Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you...

Medienbericht
  • EPSS 0.77%
  • Veröffentlicht 18.04.2026 06:20:48
  • Zuletzt bearbeitet 21.04.2026 14:43:36

An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should review if any of...

Medienbericht
  • EPSS 0.45%
  • Veröffentlicht 18.04.2026 06:20:30
  • Zuletzt bearbeitet 21.04.2026 14:42:49

In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow...