| CVE-2026-42252 |
critical |
9.1 |
9.1 |
|
|
|
3d ago |
Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when triggering Dags") showed a verbatim `BashOperator(bash_command="echo value: {{ dag_run.conf['conf1'] … |
| CVE-2026-42359 |
high |
8.8 |
8.8 |
|
|
|
3d ago |
A bug in Apache Airflow's XCom PATCH endpoint `PATCH /api/v2/xcomEntries/{key}` allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names (… |
| CVE-2026-25917 |
high |
— |
8.0 |
|
|
|
2mo ago |
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly tr… |
| CVE-2026-41084 |
high |
7.5 |
7.5 |
|
|
|
3d ago |
A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances`) evaluated authorization against the `dag_id` resolved from the URL path whi… |
| CVE-2026-45360 |
high |
7.3 |
7.3 |
|
|
|
3d ago |
Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialize… |
| CVE-2020-13927 |
unknown |
— |
2.5 |
|
|
|
5y ago |
The previous default setting for Airflow's Experimental API was to allow all API requests without authentication. |
| CVE-2020-11978 |
unknown |
— |
2.5 |
|
|
|
6y ago |
A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow. |
