Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

Apache Airflow — Vulnerabilities & Security Advisories 128

All 128 CVE vulnerabilities found in Apache Airflow, with AI-generated Chinese analysis, references, and POCs.

This page aggregates vulnerability data for Apache Airflow, focusing on weakness categories associated with this specific vendor and product. It compiles known security issues affecting the Apache Airflow orchestration platform, covering reports from the inception of the software’s public release history through to the most recent disclosures. Here, you can track a vendor's advisories to stay informed about official patches and mitigations released by the Apache Software Foundation. You can also understand a weakness class by examining how common flaw types manifest within the Airflow codebase and architecture. Additionally, you can look up a product's vulnerability history to analyze trends, identify recurring security patterns, and assess the overall security posture of the tool over time. This resource is designed for security analysts, DevOps engineers, and system administrators who need a consolidated view of risks related to Apache Airflow deployments. By reviewing the aggregated data, stakeholders can better prioritize remediation efforts based on severity and exposure. The information presented supports informed decision-making regarding upgrade paths, configuration hardening, and compliance requirements. This collection serves as a central reference point for understanding the security landscape surrounding Apache Airflow without requiring manual searches across multiple disparate sources.

Vendor: Apache Software Foundation

CVE IDTitleCVSSSeverityPublished
CVE-2026-40861 Apache Airflow: Arbitrary File Read via Log Symlink following in FileTaskHandler CWE-59--2026-06-01
CVE-2026-40961 Apache Airflow: Open Redirect Bypass Vulnerability CWE-601--2026-06-01
CVE-2026-40963 Apache Airflow: DAG authorization bypass on /ui/structure/structure_data CWE-285--2026-06-01
CVE-2026-41014 Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints CWE-862--2026-06-01
CVE-2026-49267 Apache Airflow: No certificate validation on SMTP STARTTLS connections CWE-295--2026-06-01
CVE-2026-41017 Apache Airflow: JWT cookie missing Secure flag in JWTRefreshMiddleware behind HTTPS-terminating proxy CWE-614--2026-06-01
CVE-2026-41084 Apache Airflow: API authorization bypass: bulk TaskInstances allows cross-DAG mutation CWE-639--2026-06-01
CVE-2026-42252 Apache Airflow: BashOperator Jinja2 injection via dag_run.conf — low-privilege user pattern CWE-1336--2026-06-01
CVE-2026-42360 Apache Airflow: Rendered template truncation bypasses nested sensitive-key masking CWE-200--2026-06-01
CVE-2026-42358 Apache Airflow: Variable masker depth-limit bypass returns cleartext nested secrets CWE-200--2026-06-01
CVE-2026-42359 Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator CWE-502--2026-06-01
CVE-2026-45360 Apache Airflow: Arbitrary import in custom deadline-reference deserialization CWE-502--2026-06-01
CVE-2026-45426 Apache Airflow: Log server JWT authorization bypass via Python lstrip() character stripping allows cross-Dag log access CWE-863--2026-06-01
CVE-2026-46764 Apache Airflow: Event Log detail endpoint bypasses DAG-scoped event log permission filter CWE-639--2026-06-01
CVE-2026-48726 Apache Airflow: revoke_token() unreachable in FabAuthManager / KeycloakAuthManager logout path CWE-613--2026-06-01
CVE-2026-49298 Apache Airflow: JWT Token Exposure in KubernetesExecutor Command-Line Arguments CWE-538--2026-06-01
CVE-2026-45192 Apache Airflow: Incomplete Redaction of Sensitive Fields in Connection Extra API Response CWE-200--2026-06-01
CVE-2026-38743 Apache Airflow: Dags endpoint might provide access to otherwise inaccessible entities CWE-1220 4.3AIMediumAI2026-04-24
CVE-2026-40690 Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users CWE-1220 4.3AIMediumAI2026-04-24
CVE-2026-32690 Apache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1 CWE-668 7.5AIHighAI2026-04-18
CVE-2026-30898 Apache Airflow: Bad example of BashOperator shell injection via dag_run.conf CWE-77 8.8AIHighAI2026-04-18
CVE-2026-30912 Apache Airflow: Exposing stack trace in case of constraint error CWE-668 7.5AIHighAI2026-04-18
CVE-2026-25917 Apache Airflow: API extra-links triggers XCom deserialization/class instantiation (Airflow 3.1.5) CWE-502 9.8AICriticalAI2026-04-18
CVE-2026-32228 Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to CWE-863 7.1AIHighAI2026-04-18
CVE-2026-31987 Apache Airflow: JWT token appearing in logs CWE-532 6.5AIMediumAI2026-04-16
CVE-2026-25219 Apache Airflow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access CWE-200 6.5 -2026-04-15
CVE-2025-54550 Apache Airflow: RCE by race condition in example_xcom dag CWE-94 8.8 -2026-04-15
CVE-2026-33858 Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API CWE-502 9.8 -2026-04-13
CVE-2025-66236 Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI CWE-532 9.6 -2026-04-13
CVE-2025-57735 Apache Airflow: Airflow Logout Not Invalidating JWT CWE-613 9.1AICriticalAI2026-04-09

All 128 known CVE vulnerabilities affecting Apache Airflow with full Chinese analysis, references, and POCs where available.