Skip to main content

Apache Airflow

14 CVEs product

Monthly

CVE-2026-33264 PyPI CRITICAL PATCH Act Now

Remote code execution in Apache Airflow before 3.3.0 lets a DAG author embed a malicious trigger whose attacker-controlled class path is loaded via an unrestricted import_string() when the Scheduler or API Server deserializes the serialized DAG, executing arbitrary code in those privileged processes and breaking the core Airflow boundary that DAG-author code must never run in the Scheduler/API Server. Reported by Apache with a fix in 3.3.0, it currently has no public exploit identified and a low EPSS of 0.69% (48th percentile), and it is not listed in CISA KEV. The practical severity depends heavily on how much a deployment trusts its DAG authors, since exploitation requires the ability to submit a DAG.

Deserialization RCE Apache Apache Airflow
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.7%
CVE-2026-49487 PyPI MEDIUM PATCH This Month

Apache Airflow REST API exposes provider secrets in plaintext through the task-instance detail and list endpoints when tasks are in a deferred state. Any authenticated user holding DAG-scoped task-instance read access - a permission commonly granted to non-admin roles - can retrieve API keys, passwords, or other secrets passed by deferred operators into trigger kwargs. Fixed in Apache Airflow 3.3.0; no public exploit code identified at time of analysis, though exploitation is trivially achievable by any authenticated user with the requisite read permission.

Apache Information Disclosure Apache Airflow
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48828 MEDIUM PATCH This Month

Sensitive credential exposure in Apache Airflow's Bulk Variables API allows authenticated users with bulk Variable read permission to retrieve plaintext values from JSON-typed variables whose key names use secret-suffixed conventions such as `*_password`, `*_token`, or `*_secret`. The redactor function was invoked without passing the variable key, so the `should_hide_value_for_key` check - which is responsible for masking secrets based on key-name patterns - could never fire for JSON-decodable variable values. This affects all deployments prior to 3.3.0 that store sensitive credentials in JSON-typed Airflow Variables under secret-suffixed key names; no public exploit has been identified at time of analysis, and exploitation is bounded by the requirement for authenticated access with a specific permission grant.

Apache Information Disclosure Apache Airflow
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-49296 PyPI MEDIUM PATCH This Month

{dag_id}` endpoint and its UI equivalent perform authorization only on the requested DAG identifier, not on the full file contents returned. No public exploit has been identified and the issue is not listed in CISA KEV, but it directly undermines per-DAG access control in multi-tenant or team-partitioned Airflow deployments.

Authentication Bypass Apache Apache Airflow
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48891 PyPI MEDIUM PATCH This Month

Incomplete authorization filtering in Apache Airflow's `/ui/dependencies` scheduling graph endpoint exposes restricted DAG identifiers to authenticated users who lack read permission on those DAGs. The endpoint correctly filters top-level serialized DAG keys against the caller's ACL but leaks referenced DAG IDs through `dep.source` and `dep.target` fields of trigger and sensor dependency entries, enabling cross-team DAG enumeration in multi-tenant deployments. This is a residual gap from an incomplete fix for CVE-2026-28563; no public exploit has been identified at time of analysis, and a vendor patch is available in apache-airflow 3.3.0.

Apache Information Disclosure Apache Airflow
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-48892 PyPI MEDIUM PATCH This Month

Apache Airflow's Config API leaks plaintext secrets-backend credentials to authenticated users with Config read permission, because per-key environment variable overrides (e.g., AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID) generate synthetic config entries whose names are absent from the sensitive_config_values masking list. Affected deployments are those that configure secrets backends such as HashiCorp Vault via these per-key environment variable patterns, exposing credentials like Vault role_id and secret_id through normal API responses. No public exploit has been identified at the time of analysis; the vendor-released fix is apache-airflow 3.3.0.

Hashicorp Apache Information Disclosure Apache Airflow
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-30898 HIGH PATCH This Week

Command injection in Apache Airflow's BashOperator documentation example allows authenticated attackers to escalate privileges from UI user to worker-level code execution. Affects all Airflow versions before 3.2.0. The vulnerability stems from documentation suggesting unsafe handling of dag_run.conf parameters, which organizations may have replicated in production DAGs. EPSS score of 0.03% indicates low observed exploitation probability, though the upstream fix (PR #64129) demonstrates vendor acknowledgment and remediation.

Command Injection Apache Airflow
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-32228 PyPI HIGH PATCH GHSA This Week

Apache Airflow 3.0.x prior to 3.2.0 allows remote unauthenticated attackers to trigger unauthorized DAG (Directed Acyclic Graph) execution via the UI or API, bypassing asset materialize permission checks. Despite CVSS 7.5 HIGH, the CVSS vector (PR:N) contradicts the description's requirement for 'UI/API user with asset materialize permission', suggesting authentication IS required-a critical discrepancy that demands verification. EPSS of 0.01% (3rd percentile) indicates minimal observed exploitation activity. Vendor-released patch available in Airflow 3.2.0 per Apache advisory.

Authentication Bypass Apache Airflow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31987 PyPI HIGH PATCH GHSA This Week

Apache Airflow 3.0.0 through 3.1.x exposes JWT authentication tokens in application logs, allowing any authenticated UI user with log access to escalate privileges and impersonate DAG Authors. CVSS rates this 7.5 HIGH for confidentiality impact, though the EPSS score of 0.02% (5th percentile) suggests minimal observed exploitation attempts. No active exploitation is confirmed; vendor patch available in version 3.2.0 released April 2026.

Information Disclosure Apache Airflow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-54550 PyPI HIGH PATCH GHSA This Week

The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of code on the worker. Since the UI users are already highly trusted, this is a Low severity vulnerability. It does not affect Airflow release - example_dags are not supposed to be enabled in production environment, however users following the example could replicate the bad pattern. Documentation of Airflow 3.2.0 contains version of the example with improved resiliance for that case. Users who followed that pattern are advised to adjust their implementations accordingly.

Code Injection RCE Apache Airflow
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-28563 PyPI MEDIUM PATCH This Month

CVE-2026-28563 is a security vulnerability (CVSS 4.3) that allows an authenticated user with only dag dependencies permission. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Apache Authentication Bypass Debian Apache Airflow
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-26929 PyPI MEDIUM PATCH GHSA This Month

CVE-2026-26929 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Apache Python Authentication Bypass Apache Airflow
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-30911 PyPI HIGH PATCH GHSA This Week

CVE-2026-30911 is a security vulnerability (CVSS 8.1) that allows any authenticated task instance. High severity vulnerability requiring prompt remediation. Vendor patch is available.

Authentication Bypass Apache Debian Apache Airflow
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-28779 PyPI HIGH PATCH GHSA This Week

CVE-2026-28779 is a security vulnerability (CVSS 7.5) that allows any application co-hosted under the same domain. High severity vulnerability requiring prompt remediation. Vendor patch is available.

Information Disclosure Apache Debian Apache Airflow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution in Apache Airflow before 3.3.0 lets a DAG author embed a malicious trigger whose attacker-controlled class path is loaded via an unrestricted import_string() when the Scheduler or API Server deserializes the serialized DAG, executing arbitrary code in those privileged processes and breaking the core Airflow boundary that DAG-author code must never run in the Scheduler/API Server. Reported by Apache with a fix in 3.3.0, it currently has no public exploit identified and a low EPSS of 0.69% (48th percentile), and it is not listed in CISA KEV. The practical severity depends heavily on how much a deployment trusts its DAG authors, since exploitation requires the ability to submit a DAG.

Deserialization RCE Apache +1
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Apache Airflow REST API exposes provider secrets in plaintext through the task-instance detail and list endpoints when tasks are in a deferred state. Any authenticated user holding DAG-scoped task-instance read access - a permission commonly granted to non-admin roles - can retrieve API keys, passwords, or other secrets passed by deferred operators into trigger kwargs. Fixed in Apache Airflow 3.3.0; no public exploit code identified at time of analysis, though exploitation is trivially achievable by any authenticated user with the requisite read permission.

Apache Information Disclosure Apache Airflow
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Sensitive credential exposure in Apache Airflow's Bulk Variables API allows authenticated users with bulk Variable read permission to retrieve plaintext values from JSON-typed variables whose key names use secret-suffixed conventions such as `*_password`, `*_token`, or `*_secret`. The redactor function was invoked without passing the variable key, so the `should_hide_value_for_key` check - which is responsible for masking secrets based on key-name patterns - could never fire for JSON-decodable variable values. This affects all deployments prior to 3.3.0 that store sensitive credentials in JSON-typed Airflow Variables under secret-suffixed key names; no public exploit has been identified at time of analysis, and exploitation is bounded by the requirement for authenticated access with a specific permission grant.

Apache Information Disclosure Apache Airflow
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

{dag_id}` endpoint and its UI equivalent perform authorization only on the requested DAG identifier, not on the full file contents returned. No public exploit has been identified and the issue is not listed in CISA KEV, but it directly undermines per-DAG access control in multi-tenant or team-partitioned Airflow deployments.

Authentication Bypass Apache Apache Airflow
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Incomplete authorization filtering in Apache Airflow's `/ui/dependencies` scheduling graph endpoint exposes restricted DAG identifiers to authenticated users who lack read permission on those DAGs. The endpoint correctly filters top-level serialized DAG keys against the caller's ACL but leaks referenced DAG IDs through `dep.source` and `dep.target` fields of trigger and sensor dependency entries, enabling cross-team DAG enumeration in multi-tenant deployments. This is a residual gap from an incomplete fix for CVE-2026-28563; no public exploit has been identified at time of analysis, and a vendor patch is available in apache-airflow 3.3.0.

Apache Information Disclosure Apache Airflow
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Apache Airflow's Config API leaks plaintext secrets-backend credentials to authenticated users with Config read permission, because per-key environment variable overrides (e.g., AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID) generate synthetic config entries whose names are absent from the sensitive_config_values masking list. Affected deployments are those that configure secrets backends such as HashiCorp Vault via these per-key environment variable patterns, exposing credentials like Vault role_id and secret_id through normal API responses. No public exploit has been identified at the time of analysis; the vendor-released fix is apache-airflow 3.3.0.

Hashicorp Apache Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Command injection in Apache Airflow's BashOperator documentation example allows authenticated attackers to escalate privileges from UI user to worker-level code execution. Affects all Airflow versions before 3.2.0. The vulnerability stems from documentation suggesting unsafe handling of dag_run.conf parameters, which organizations may have replicated in production DAGs. EPSS score of 0.03% indicates low observed exploitation probability, though the upstream fix (PR #64129) demonstrates vendor acknowledgment and remediation.

Command Injection Apache Airflow
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Apache Airflow 3.0.x prior to 3.2.0 allows remote unauthenticated attackers to trigger unauthorized DAG (Directed Acyclic Graph) execution via the UI or API, bypassing asset materialize permission checks. Despite CVSS 7.5 HIGH, the CVSS vector (PR:N) contradicts the description's requirement for 'UI/API user with asset materialize permission', suggesting authentication IS required-a critical discrepancy that demands verification. EPSS of 0.01% (3rd percentile) indicates minimal observed exploitation activity. Vendor-released patch available in Airflow 3.2.0 per Apache advisory.

Authentication Bypass Apache Airflow
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Apache Airflow 3.0.0 through 3.1.x exposes JWT authentication tokens in application logs, allowing any authenticated UI user with log access to escalate privileges and impersonate DAG Authors. CVSS rates this 7.5 HIGH for confidentiality impact, though the EPSS score of 0.02% (5th percentile) suggests minimal observed exploitation attempts. No active exploitation is confirmed; vendor patch available in version 3.2.0 released April 2026.

Information Disclosure Apache Airflow
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of code on the worker. Since the UI users are already highly trusted, this is a Low severity vulnerability. It does not affect Airflow release - example_dags are not supposed to be enabled in production environment, however users following the example could replicate the bad pattern. Documentation of Airflow 3.2.0 contains version of the example with improved resiliance for that case. Users who followed that pattern are advised to adjust their implementations accordingly.

Code Injection RCE Apache Airflow
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

CVE-2026-28563 is a security vulnerability (CVSS 4.3) that allows an authenticated user with only dag dependencies permission. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Apache Authentication Bypass +2
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

CVE-2026-26929 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Apache Python +2
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

CVE-2026-30911 is a security vulnerability (CVSS 8.1) that allows any authenticated task instance. High severity vulnerability requiring prompt remediation. Vendor patch is available.

Authentication Bypass Apache Debian +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

CVE-2026-28779 is a security vulnerability (CVSS 7.5) that allows any application co-hosted under the same domain. High severity vulnerability requiring prompt remediation. Vendor patch is available.

Information Disclosure Apache Debian +1
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy