Known Vulnerabilities for Airflow by Apache
Listed below are 10 of the newest known vulnerabilities associated with "Airflow" by "Apache".
These CVEs are retrieved based on exact matches on listed software, hardware, and vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed software information are still displayed.
Data on known vulnerable versions is also displayed based on information from known CPEs
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-49298 json | A bug in Apache Airflow's KubernetesExecutor caused JWT tokens used by worker pods to authenticate against the Execution API ... | Not Provided | 2026-06-01 | 2026-06-01 |
| CVE-2026-49267 json | Apache Airflow's EmailOperator and the underlying `airflow.utils.email` helpers established SMTP STARTTLS connections without... | Not Provided | 2026-06-01 | 2026-06-01 |
| CVE-2026-48726 json | A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout ... | Not Provided | 2026-06-01 | 2026-06-01 |
| CVE-2026-46764 json | The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit-log rows directly by num... | Not Provided | 2026-06-01 | 2026-06-01 |
| CVE-2026-46745 json | Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attacker... | Not Provided | 2026-05-25 | 2026-05-26 |
| CVE-2026-45426 json | Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at... | Not Provided | 2026-06-01 | 2026-06-01 |
| CVE-2026-45361 json | Apache Airflow providers-google's `ComputeEngineSSHHook` disables SSH host-key verification by default, exposing SSH traffic ... | Not Provided | 2026-05-25 | 2026-06-01 |
| CVE-2026-45360 json | Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and d... | Not Provided | 2026-06-01 | 2026-06-01 |
| CVE-2026-45192 json | A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenticated UI/API us... | Not Provided | 2026-06-01 | 2026-06-01 |
| CVE-2026-43826 json | The OpenSearch logging provider, when configured with a `host` URL that embeds credentials (for example `https://user:passwor... | Not Provided | 2026-05-11 | 2026-05-11 |
Known Affected Configurations (CPE V2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Airflow | 2.0.1 | |||
| Application | Apache | Airflow | 2.0.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.8.2 | |||
| Application | Apache | Airflow | 1.8.2 | |||
| Application | Apache | Airflow | 1.8.2 | |||
| Application | Apache | Airflow | 1.8.2 | |||
| Application | Apache | Airflow | 1.8.2 | |||
| Application | Apache | Airflow | 1.8.1 | |||
| Application | Apache | Airflow | 1.8.0 |