Known Vulnerabilities for Airflow by Apache
Listed below are 10 of the newest known vulnerabilities associated with "Airflow" by "Apache".
These CVEs are retrieved based on exact matches on listed software, hardware, and vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed software information are still displayed.
Data on known vulnerable versions is also displayed based on information from known CPEs
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-40948 json | The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state`... | Not Provided | 2026-04-18 | 2026-04-20 |
| CVE-2026-34538 json | Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG R... | Not Provided | 2026-04-09 | 2026-04-09 |
| CVE-2026-33858 json | Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the we... | Not Provided | 2026-04-13 | 2026-04-14 |
| CVE-2026-32794 json | Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider code did not validate certi... | Not Provided | 2026-03-30 | 2026-03-31 |
| CVE-2026-32690 json | Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the use... | Not Provided | 2026-04-18 | 2026-04-20 |
| CVE-2026-32228 json | UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Air... | Not Provided | 2026-04-18 | 2026-04-20 |
| CVE-2026-31987 json | JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade... | Not Provided | 2026-04-16 | 2026-04-18 |
| CVE-2026-30912 json | In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false.... | Not Provided | 2026-04-18 | 2026-04-20 |
| CVE-2026-30898 json | An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsan... | Not Provided | 2026-04-18 | 2026-04-20 |
| CVE-2026-25917 json | Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the we... | Not Provided | 2026-04-18 | 2026-04-22 |
Known Affected Configurations (CPE V2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Airflow | 2.0.1 | |||
| Application | Apache | Airflow | 2.0.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.8.2 | |||
| Application | Apache | Airflow | 1.8.2 | |||
| Application | Apache | Airflow | 1.8.2 | |||
| Application | Apache | Airflow | 1.8.2 | |||
| Application | Apache | Airflow | 1.8.2 | |||
| Application | Apache | Airflow | 1.8.1 | |||
| Application | Apache | Airflow | 1.8.0 |