How to fix CVE-2024-56373?

Within 24 hours: Inventory all Airflow 2 instances and identify users with DAG authoring permissions; restrict access to historical task information in the web UI. Within 7 days: Implement network segmentation to limit web server lateral movement; audit recent DAG modifications for suspicious changes. Within 30 days: Upgrade to a patched Airflow version when available; conduct security review of DAG author access controls and principle of least privilege implementation.

Is AI / ML affected by CVE-2024-56373?

A high-severity vulnerability in Apache Airflow 2 allows authenticated DAG authors to execute arbitrary code within the web server context, potentially compromising the entire Airflow infrastructure.

CVE-2024-56373

HIGH

2026-02-24 [email protected]

GHSA-r837-hpv7-pc2f

8.4

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 24, 2026 - 10:16 nvd

HIGH 8.4

Description

DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (server-side) as a result of a user viewing historical task information. The functionality responsible for that (log template history) has been disabled by default in 2.11.1 and users should upgrade to Airflow 3 if they want to continue to use log template history. They can also manually modify historical log file names if they want to see historical logs that were generated before the last log template change.

Analysis

Technical Context

Classified as CWE-94 (Code Injection). Affects Airflow. DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (server-side) as a result of a user viewing historical task information.

The functionality responsible for that (log template history) has been disabled by default in 2.11.1 and users should upgrade to Airflow 3 if they

Affected Products

Vendor: Apache. Product: Airflow.

Remediation

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +42

POC: 0

CVE-2024-56373 vulnerability details – vuln.today

Back

CVE-2024-56373

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2024-56373

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code