CVE-2020-13927
Summary
| CVE | CVE-2020-13927 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-11-10 16:15:00 UTC |
| Updated | 2023-09-19 18:15:00 UTC |
| Description | The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default |
Risk And Classification
EPSS: 0.941040000 probability, percentile 0.999070000 (date 2026-04-01)
CISA KEV: Listed on 2022-01-18; due 2022-07-18; ransomware use Unknown
Problem Types: CWE-1188
CISA Known Exploited Vulnerability
| Vendor | Apache |
|---|---|
| Product | Airflow's Experimental API |
| Name | Apache Airflow's Experimental API Authentication Bypass |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://nvd.nist.gov/vuln/detail/CVE-2020-13927 |
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Apache Airflow 1.10.10 Remote Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | |
| Pony Mail! | MISC | lists.apache.org | Vendor Advisory |
| Apache Airflow 1.10.10 Remote Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.