Package impact
PyPI / apache-airflow
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42252 | critical | 9.1 | 9.1 | 3d ago | Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when triggering Dags") showed a verbatim `BashOperator(bash_command="echo value: {{ dag_run.conf['conf1'] … | |||
| CVE-2026-45426 | low | 3.1 | 3.1 | 3d ago | Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at least one Dag. Apache Airflow's Log server authorized JWT tokens against … | |||
| CVE-2020-13927 | unknown | — | 2.5 | 5y ago | The previous default setting for Airflow's Experimental API was to allow all API requests without authentication. | |||
| CVE-2020-11978 | unknown | — | 2.5 | 6y ago | A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow. |