Apache

Airflow

145 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
Medienbericht
  • EPSS 0.82%
  • Veröffentlicht 18.04.2026 06:20:11
  • Zuletzt bearbeitet 22.04.2026 14:16:36

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are re...

  • EPSS 0.43%
  • Veröffentlicht 18.04.2026 06:19:47
  • Zuletzt bearbeitet 21.04.2026 12:54:57

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.

  • EPSS 0.74%
  • Veröffentlicht 16.04.2026 13:31:52
  • Zuletzt bearbeitet 20.04.2026 16:54:59

JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue.

  • EPSS 0.55%
  • Veröffentlicht 15.04.2026 12:30:17
  • Zuletzt bearbeitet 17.04.2026 18:37:33

The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidentaly logged to...

  • EPSS 0.58%
  • Veröffentlicht 15.04.2026 00:22:03
  • Zuletzt bearbeitet 17.04.2026 18:38:08

The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of code on the...

  • EPSS 0.59%
  • Veröffentlicht 13.04.2026 14:36:30
  • Zuletzt bearbeitet 17.04.2026 18:40:56

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are r...

  • EPSS 0.44%
  • Veröffentlicht 13.04.2026 14:20:37
  • Zuletzt bearbeitet 17.04.2026 18:41:33

Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make we...

  • EPSS 0.67%
  • Veröffentlicht 09.04.2026 11:12:41
  • Zuletzt bearbeitet 17.04.2026 13:03:16

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Us...

  • EPSS 0.69%
  • Veröffentlicht 09.04.2026 09:09:20
  • Zuletzt bearbeitet 15.04.2026 17:51:58

Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate...

  • EPSS 0.44%
  • Veröffentlicht 17.03.2026 10:54:57
  • Zuletzt bearbeitet 17.03.2026 17:42:05

Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are no...