Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider code did not validate certificates for connections to Databricks back-end which could result in a man-of-a-middle attack that traffic is intercepted and manipulated or credentials exfiltrated w/o notice.
This issue affects Apache Airflow Provider for Databricks: from 1.10.0 before 1.12.0.
Users are recommended to upgrade to version 1.12.0, which fixes the issue.
AnalysisAI
Improper certificate validation in Apache Airflow Provider for Databricks versions 1.10.0 through 1.11.x allows unauthenticated attackers to intercept and manipulate traffic between Airflow and Databricks backends via man-in-the-middle attacks, potentially exfiltrating credentials and sensitive workflow data. The provider did not validate SSL/TLS certificates when establishing connections to Databricks, creating a critical trust boundary weakness. Vendor-released patch available in version 1.12.0; no public exploit code or active exploitation confirmed at time of analysis.
Technical ContextAI
This vulnerability stems from a certificate validation bypass in the Databricks provider for Apache Airflow, rooted in CWE-295 (Improper Certificate Validation). When establishing HTTPS connections to Databricks backend services, the provider code failed to properly verify the server's SSL/TLS certificate chain, removing a critical cryptographic control. This allows attackers positioned on the network path (whether on local LAN, compromised ISP infrastructure, or cloud network segments) to present a fraudulent certificate and intercept bidirectional traffic. Given that Databricks connections typically carry OAuth tokens, API keys, and workflow execution data, the impact extends beyond traffic interception to credential theft and unauthorized data manipulation. The affected product is Apache Airflow Provider for Databricks (CPE: cpe:2.3:a:apache_software_foundation:apache_airflow_provider_for_databricks:*:*:*:*:*:*:*:*), which serves as a bridge between Airflow orchestration workflows and Databricks compute clusters.
RemediationAI
Vendor-released patch: Apache Airflow Provider for Databricks version 1.12.0 and later. Upgrade the provider package immediately using pip install --upgrade apache-airflow-providers-databricks==1.12.0 or via your Python dependency management system. Verify the upgrade by checking the installed version with pip show apache-airflow-providers-databricks. No workarounds are available short of patching; certificate validation is a fundamental security control that cannot be safely disabled or replaced. The upstream fix is documented in GitHub PR #63704 (https://github.com/apache/airflow/pull/63704) and Apache's official advisory (https://lists.apache.org/thread/hn17yqsgsdtl81llvhf80rkp53hnz5nb). After patching, redeploy any stored Databricks credentials in Airflow connection definitions to eliminate exposure from previous unencrypted communications.
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17219