Known Vulnerabilities for Airflow by Apache
Listed below are 10 of the newest known vulnerabilities associated with "Airflow" by "Apache".
These CVEs are retrieved based on exact matches on listed software, hardware, and vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed software information are still displayed.
Data on known vulnerable versions is also displayed based on information from known CPEs
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-43826 json | The OpenSearch logging provider, when configured with a `host` URL that embeds credentials (for example `https://user:passwor... | Not Provided | 2026-05-11 | 2026-05-11 |
| CVE-2026-41018 json | The Elasticsearch logging provider, when configured with a `host` URL that embeds credentials (for example `https://user:pass... | Not Provided | 2026-05-11 | 2026-05-11 |
| CVE-2026-41016 json | Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL context, so no certificate... | Not Provided | 2026-04-30 | 2026-04-30 |
| CVE-2026-40948 json | The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state`... | Not Provided | 2026-04-18 | 2026-04-20 |
| CVE-2026-40690 json | Not Provided | 2026-04-24 | 2026-04-27 | |
| CVE-2026-38743 json | The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInst... | Not Provided | 2026-04-24 | 2026-04-24 |
| CVE-2026-34538 json | Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG R... | Not Provided | 2026-04-09 | 2026-04-09 |
| CVE-2026-33858 json | Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the we... | Not Provided | 2026-04-13 | 2026-04-14 |
| CVE-2026-32794 json | Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider code did not validate certi... | Not Provided | 2026-03-30 | 2026-03-31 |
| CVE-2026-32690 json | Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the use... | Not Provided | 2026-04-18 | 2026-04-20 |
Known Affected Configurations (CPE V2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Airflow | 2.0.1 | |||
| Application | Apache | Airflow | 2.0.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.9.0 | |||
| Application | Apache | Airflow | 1.8.2 | |||
| Application | Apache | Airflow | 1.8.2 | |||
| Application | Apache | Airflow | 1.8.2 | |||
| Application | Apache | Airflow | 1.8.2 | |||
| Application | Apache | Airflow | 1.8.2 | |||
| Application | Apache | Airflow | 1.8.1 | |||
| Application | Apache | Airflow | 1.8.0 |