| CVE-2026-42252 |
critical |
9.1 |
9.1 |
|
|
|
3d ago |
Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when triggering Dags") showed a verbatim `BashOperator(bash_command="echo value: {{ dag_run.conf['conf1'] … |
| CVE-2026-48726 |
medium |
6.5 |
6.5 |
|
|
|
3d ago |
A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` … |
| CVE-2026-42360 |
medium |
6.5 |
6.5 |
|
|
|
3d ago |
A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. nested `password` / `token` / `secret` / `api_key` keys inside a JSON template structure) to be by… |
| CVE-2026-40861 |
medium |
6.5 |
6.5 |
|
|
|
3d ago |
A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack — e.g. `/etc/passwd` or `airflow.cfg… |
| CVE-2026-45192 |
medium |
6.5 |
6.5 |
|
|
|
3d ago |
A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenticated UI/API user with Connection-read permission to retrieve secrets stored in a Connect… |
| CVE-2026-41017 |
medium |
5.9 |
5.9 |
|
|
|
3d ago |
Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. nginx / Envoy … |
| CVE-2026-38743 |
medium |
— |
5.5 |
|
|
|
1mo ago |
Apache Airflow's authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance record |
| CVE-2026-40690 |
medium |
— |
5.5 |
|
|
|
1mo ago |
Apache Airflow's asset dependency graph did not restrict nodes by the viewer's DAG read permissions |
| CVE-2026-41014 |
medium |
4.3 |
4.3 |
|
|
|
3d ago |
The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerat… |
| CVE-2026-45426 |
low |
3.1 |
3.1 |
|
|
|
3d ago |
Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at least one Dag. Apache Airflow's Log server authorized JWT tokens against … |
