Support Us — Your donation helps us keep running

Goal: 1000 CNY,Raised: 1000 CNY

100.0%
Donate Now

Apache Airflow — Vulnerabilities & Security Advisories 111

All 111 CVE vulnerabilities found in Apache Airflow, with AI-generated Chinese analysis, references, and POCs.

Vendor: Apache Software Foundation

CVE IDTitleCVSSSeverityPaused
CVE-2026-38743 Apache Airflow: Dags endpoint might provide access to otherwise inaccessible entities CWE-1220 4.3AIMediumAI2026-04-24
CVE-2026-40690 Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users CWE-1220 4.3AIMediumAI2026-04-24
CVE-2026-32690 Apache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1 CWE-668 7.5AIHighAI2026-04-18
CVE-2026-30898 Apache Airflow: Bad example of BashOperator shell injection via dag_run.conf CWE-77 8.8AIHighAI2026-04-18
CVE-2026-30912 Apache Airflow: Exposing stack trace in case of constraint error CWE-668 7.5AIHighAI2026-04-18
CVE-2026-25917 Apache Airflow: API extra-links triggers XCom deserialization/class instantiation (Airflow 3.1.5) CWE-502 9.8AICriticalAI2026-04-18
CVE-2026-32228 Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to CWE-863 7.1AIHighAI2026-04-18
CVE-2026-31987 Apache Airflow: JWT token appearing in logs CWE-532 6.5AIMediumAI2026-04-16
CVE-2026-25219 Apache Airflow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access CWE-200 6.5 -2026-04-15
CVE-2025-54550 Apache Airflow: RCE by race condition in example_xcom dag CWE-94 8.8 -2026-04-15
CVE-2026-33858 Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API CWE-502 9.8 -2026-04-13
CVE-2025-66236 Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI CWE-532 9.6 -2026-04-13
CVE-2025-57735 Apache Airflow: Airflow Logout Not Invalidating JWT CWE-613 9.1AICriticalAI2026-04-09
CVE-2026-34538 Apache Airflow: Authorization bypass in DagRun wait endpoint (XCom exposure) CWE-668 6.5AIMediumAI2026-04-09
CVE-2026-28563 Apache Airflow: DAG authorization bypass CWE-732 4.3 -2026-03-17
CVE-2026-26929 Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata CWE-732 5.3AIMediumAI2026-03-17
CVE-2026-30911 Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization CWE-862 8.1AIHighAI2026-03-17
CVE-2026-28779 Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications CWE-668 9.8AICriticalAI2026-03-17
CVE-2025-27555 Apache Airflow: Connection Secrets not masked in UI when Connection are added via Airflow cli CWE-532 6.5AIMediumAI2026-02-24
CVE-2024-56373 Apache Airflow: SSTI to Code Execution in Airflow through Shared DB Information CWE-94 8.0AIHighAI2026-02-24
CVE-2025-65995 Apache Airflow: Disclosure of secrets to UI via kwargs CWE-209 6.5AIMediumAI2026-02-21
CVE-2026-22922 Apache Airflow: Airflow externalLogUrl Permission Bypass CWE-648 4.3AIMediumAI2026-02-09
CVE-2026-24098 Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors CWE-200 4.3AIMediumAI2026-02-09
CVE-2025-68675 Apache Airflow: proxy credentials for various providers might leak in task logs CWE-532 7.5 -2026-01-16
CVE-2025-68438 Apache Airflow: Secrets in rendered templates could contain parts of sensitive values when truncated CWE-200 7.5 -2026-01-16
CVE-2025-66388 Apache Airflow: Secrets in rendered templates not redacted properly and exposed in the UI CWE-201 6.5 -2025-12-15
CVE-2025-54941 Apache Airflow: Command injection in "example_dag_decorator" CWE-78 8.8AIHighAI2025-10-30
CVE-2025-62402 Apache Airflow: Airflow 3 API: /api/v2/dagReports executes DAG Python in API CWE-250 8.0AIHighAI2025-10-30
CVE-2025-62503 Apache Airflow: Privilege boundary bypass in bulk APIs (create action can upsert existing Pools/Connections/Variables) CWE-250 6.5AIMediumAI2025-10-30
CVE-2025-54831 Apache Airflow: Connection sensitive details exposed to users with READ permissions CWE-213 6.5 -2025-09-26

All 111 known CVE vulnerabilities affecting Apache Airflow with full Chinese analysis, references, and POCs where available.