Apache Airflow

5 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2026-34538 MEDIUM PATCH This Month

Apache Airflow 3.0.0 through 3.1.8 discloses XCom result values to users with only DAG Run read permissions (such as Viewer role), violating the FAB RBAC model that treats XCom as a protected resource. This information disclosure affects authenticated users and allows them to access sensitive execution results they should not be able to view. The vulnerability is not confirmed as actively exploited, and a patch is available in Apache Airflow 3.2.0.

Airflow Information Disclosure Apache Airflow
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-28563 MEDIUM PATCH This Month

CVE-2026-28563 is a security vulnerability (CVSS 4.3) that allows an authenticated user with only dag dependencies permission. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Apache Authentication Bypass Debian Apache Airflow
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-26929 MEDIUM PATCH This Month

CVE-2026-26929 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Apache Python Authentication Bypass Apache Airflow
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-30911 HIGH PATCH This Week

CVE-2026-30911 is a security vulnerability (CVSS 8.1) that allows any authenticated task instance. High severity vulnerability requiring prompt remediation. Vendor patch is available.

Authentication Bypass Apache Debian Apache Airflow
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-28779 HIGH PATCH This Week

CVE-2026-28779 is a security vulnerability (CVSS 7.5) that allows any application co-hosted under the same domain. High severity vulnerability requiring prompt remediation. Vendor patch is available.

Information Disclosure Apache Debian Apache Airflow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-34538
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Apache Airflow 3.0.0 through 3.1.8 discloses XCom result values to users with only DAG Run read permissions (such as Viewer role), violating the FAB RBAC model that treats XCom as a protected resource. This information disclosure affects authenticated users and allows them to access sensitive execution results they should not be able to view. The vulnerability is not confirmed as actively exploited, and a patch is available in Apache Airflow 3.2.0.

Airflow Information Disclosure Apache Airflow
NVD GitHub VulDB
CVE-2026-28563
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

CVE-2026-28563 is a security vulnerability (CVSS 4.3) that allows an authenticated user with only dag dependencies permission. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Apache Authentication Bypass +2
NVD GitHub VulDB
CVE-2026-26929
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

CVE-2026-26929 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Apache Python +2
NVD GitHub VulDB
CVE-2026-30911
EPSS 0% CVSS 8.1
HIGH PATCH This Week

CVE-2026-30911 is a security vulnerability (CVSS 8.1) that allows any authenticated task instance. High severity vulnerability requiring prompt remediation. Vendor patch is available.

Authentication Bypass Apache Debian +1
NVD GitHub VulDB
CVE-2026-28779
EPSS 0% CVSS 7.5
HIGH PATCH This Week

CVE-2026-28779 is a security vulnerability (CVSS 7.5) that allows any application co-hosted under the same domain. High severity vulnerability requiring prompt remediation. Vendor patch is available.

Information Disclosure Apache Debian +1
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy