Known Vulnerabilities for Airflow by Apache
Listed below are 10 of the newest known vulnerabilities associated with "Airflow" by "Apache".
These CVEs are retrieved based on exact matches on listed software, hardware, and vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed software information are still displayed.
Data on known vulnerable versions is also displayed based on information from known CPEs
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-32794 | Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider code did not validate certi... | Not Provided | 2026-03-30 | 2026-03-31 |
| CVE-2022-24288 | In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susc... | 8.8 - HIGH | 2022-02-25 | 2022-03-04 |
| CVE-2021-38540 | The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated use... | 9.8 - CRITICAL | 2021-09-09 | 2023-11-07 |
| CVE-2021-35936 | If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) run... | 5.3 - MEDIUM | 2021-08-16 | 2022-10-07 |
| CVE-2021-29621 | Flask-AppBuilder is a development framework, built on top of Flask. User enumeration in database authentication in Flask-AppB... | 5.3 - MEDIUM | 2021-06-07 | 2023-11-07 |
| CVE-2021-28359 | The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apac... | 6.1 - MEDIUM | 2021-05-02 | 2023-11-07 |
| CVE-2021-26697 | The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed un... | 5.3 - MEDIUM | 2021-02-17 | 2023-11-07 |
| CVE-2021-26559 | Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role... | 6.5 - MEDIUM | 2021-02-17 | 2023-11-07 |
| CVE-2020-11981 | An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the... | 9.8 - CRITICAL | 2020-07-17 | 2020-07-24 |
| CVE-2020-11978 | An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered... | 8.8 - HIGH | 2020-07-17 | 2023-09-19 |
Known Affected Configurations (CPE V2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Airflow | 2.0.1 | All | All | All |
| Application | Apache | Airflow | 2.0.0 | All | All | All |
| Application | Apache | Airflow | 1.9.0 | rc2 | All | All |
| Application | Apache | Airflow | 1.9.0 | - | All | All |
| Application | Apache | Airflow | 1.9.0 | alpha0 | All | All |
| Application | Apache | Airflow | 1.9.0 | alpha1 | All | All |
| Application | Apache | Airflow | 1.9.0 | rc1 | All | All |
| Application | Apache | Airflow | 1.9.0 | rc3 | All | All |
| Application | Apache | Airflow | 1.9.0 | rc4 | All | All |
| Application | Apache | Airflow | 1.9.0 | rc5 | All | All |
| Application | Apache | Airflow | 1.9.0 | rc6 | All | All |
| Application | Apache | Airflow | 1.9.0 | rc7 | All | All |
| Application | Apache | Airflow | 1.9.0 | rc8 | All | All |
| Application | Apache | Airflow | 1.8.2 | rc1 | All | All |
| Application | Apache | Airflow | 1.8.2 | rc4 | All | All |
| Application | Apache | Airflow | 1.8.2 | rc3 | All | All |
| Application | Apache | Airflow | 1.8.2 | rc2 | All | All |
| Application | Apache | Airflow | 1.8.2 | All | All | All |
| Application | Apache | Airflow | 1.8.1 | All | All | All |
| Application | Apache | Airflow | 1.8.0 | All | All | All |