from 0, < 1.10.11
from 0, < 1.10.11
HIGH8.8⚠ KEVRemote code execution (RCE) in Apache Airflow
from 0, < 1.10.11rc1
HIGH8.8⚠ KEVRemote code execution (RCE) in Apache Airflow
from 0, < 1.10.11rc1
CRITICAL9.8Apache Airflow Providers Edge3 exposes internal API allowing RCE in web server context
from 0, < 2.0.0
CRITICAL9.8Apache Airflow vulnerable to Privilege Context Switching Error
from 0, < 2.6.0
CRITICAL9.8Apache Airflow vulnerable to Privilege Context Switching Error
from 0, < 2.6.0b1
CRITICAL9.8Apache Airflow Sqoop Provider Improper Input Validation vulnerability
from 0, < 3.1.1
CRITICAL9.8Command Injection in Apache Airflow and Apache Airflow MySQL Provider
from 0, < 2.5.1
CRITICAL9.8OS Command Injection in Apache Airflow
from 0, < 2.3.0
CRITICAL9.8OS Command Injection in Apache Airflow
from 0, < 2.3.0
CRITICAL9.8Apache Airflow Session Fixation vulnerability
>= 2.2.4, < 2.3.4rc1
CRITICAL9.8Apache Airflow Session Fixation vulnerability
>= 2.2.4, < 2.3.4rc1
CRITICAL9.8Missing Authentication for Critical Function in Apache Airflow
>= 2.0.0, < 2.1.3
CRITICAL9.8Missing Authentication for Critical Function in Apache Airflow
>= 2.0.0, < 2.1.3
CRITICAL9.8Command injection via Celery broker in Apache Airflow
from 0, < 1.10.11rc1
CRITICAL9.8Command injection via Celery broker in Apache Airflow
from 0, < 1.10.11rc1
CRITICAL9.8Insecure default config of Celery worker in Apache Airflow
from 0, < 1.10.11rc1
CRITICAL9.8Insecure default config of Celery worker in Apache Airflow
from 0, < 1.10.11
CRITICAL9.8Apache Airflow vulnerable to XSS
from 0, < 1.9.0
CRITICAL9.8Apache Airflow vulnerable to XSS
from 0, < 1.9.0
CRITICAL9.1Apache Airflow: BashOperator Jinja2 injection via dag_run.conf — low-privilege user pattern
>= 3.0.0, < 3.2.2
CRITICAL9.1Apache Airflow: JWT token still valid after logout
>= 3.0.0, < 3.2.0
HIGH8.8Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator
>= 3.2.0, < 3.2.2
HIGH8.8Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API
>= 3.1.8, < 3.2.0
HIGH8.8Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API
>= 3.1.8, < 3.2.0
HIGH8.8Apache Airflow vulnerable to Improper Encoding or Escaping of Output
from 0, <= 2.10.0-NA
HIGH8.8Apache Airflow vulnerable to Improper Encoding or Escaping of Output
>= 2.10.0, < 2.10.1
HIGH8.8Apache Airflow vulnerable to Execution with Unnecessary Privileges
from 0, < 2.10.1
HIGH8.8Apache Airflow vulnerable to Execution with Unnecessary Privileges
from 0, < 2.10.1
HIGH8.8Apache Airflow has DAG Author Code Execution possibility in airflow-scheduler
>= 2.4.0, < 2.9.3
HIGH8.8Apache Airflow has DAG Author Code Execution possibility in airflow-scheduler
>= 2.4.0, < 2.9.3
HIGH8.8Apache Airflow Execution with Unnecessary Privileges
from 0, < 2.6.0
HIGH8.8Apache Airflow Execution with Unnecessary Privileges
from 0, < 2.6.0b1
HIGH8.8Apache Airflow vulnerable to OS Command Injection via example DAGs
from 0, < 2.4.0
HIGH8.8Apache Airflow vulnerable to OS Command Injection via example DAGs
from 0, < 2.4.0
HIGH8.8OS Command injection in Apache Airflow
from 0, < 2.2.4
HIGH8.8OS Command injection in Apache Airflow
from 0, < 2.2.4
HIGH8.8Apache Airflow vulnerable to CSRF Attacks
from 0, < 1.10.3
HIGH8.8Apache Airflow vulnerable to CSRF Attacks
from 0, < 1.10.3b1
HIGH8.8Cross-Site Request Forgery (CSRF) in Apache Airflow
from 0, < 1.9.0
HIGH8.8Cross-Site Request Forgery (CSRF) in Apache Airflow
from 0, < 1.9.0
HIGH8.8Improper Input Validation in Apache Airflow resulting in Remote Code Execution
from 0, < 1.9.0
HIGH8.8Improper Input Validation in Apache Airflow resulting in Remote Code Execution
from 0, < 1.9.0
HIGH8.4Apache Airflow vulnerable to Code Injection in the web-server context via LogTemplate table
from 0, < 2.11.1
HIGH8.1Apache Airflow: RCE by race condition in example_xcom dag
from 0, < 3.2.0
HIGH8.1Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization
>= 3.1.0, < 3.1.8
HIGH8.1Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization
>= 3.0.0, < 3.1.8
HIGH8.1Apache Airflow: Ignored Airflow Permission
>= 2.8.0, < 2.8.3rc1
HIGH8.1Apache Airflow: Ignored Airflow Permission
>= 2.8.0, < 2.8.3rc1
HIGH8.1Apache Airflow denial of service vulnerability
from 0, < 2.7.0
HIGH8.1Apache Airflow denial of service vulnerability
from 0, < 2.7.0b1
HIGH8.1Apache Airflow may allow authenticated users who have been deactivated to continue using the UI or API
from 0, < 2.4.2rc1
HIGH8.1Apache Airflow may allow authenticated users who have been deactivated to continue using the UI or API
from 0, < 2.4.1rc1
HIGH8.0Apache Airflow Session Fixation vulnerability
from 0, < 2.7.1rc1
HIGH8.0Apache Airflow Session Fixation vulnerability
from 0, < 2.7.0rc2
HIGH7.7Incorrect Session Validation in Apache Airflow
from 0, < 1.10.14
HIGH7.7Incorrect Session Validation in Apache Airflow
from 0, < 1.10.14
HIGH7.5Apache Airflow: API authorization bypass: bulk TaskInstances allows cross-DAG mutation
>= 3.2.0, < 3.2.2
HIGH7.5Apache Airflow: JWT token appearing in logs
>= 3.0.0, < 3.2.0
HIGH7.5Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI
from 0, < 3.2.0
HIGH7.5Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI
>= 3.0.0, < 3.2.0
HIGH7.5Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications
>= 3.0.0, < 3.1.8
HIGH7.5Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications
>= 3.0.0, < 3.1.8
HIGH7.5Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata
>= 3.0.0, < 3.1.8
HIGH7.5Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata
>= 3.0.0, < 3.1.8
HIGH7.5Apache Airflow proxy credentials for various providers might leak in task logs
from 0, < 3.1.6
HIGH7.5Apache Airflow secrets in rendered templates could contain parts of sensitive values when truncated
>= 3.1.0, < 3.1.6
HIGH7.5Apache Airflow proxy credentials for various providers might leak in task logs
>= 3.0.0b1, < 3.1.6
HIGH7.5Apache Airflow secrets in rendered templates could contain parts of sensitive values when truncated
>= 3.1.0, < 3.1.6
HIGH7.5Apache Airflow: Sensitive configuration values are not masked in the logs by default
from 0, < 2.10.3
HIGH7.5Apache Airflow: pickle deserialization vulnerability in XComs
from 0, < 2.8.1rc1
HIGH7.5Apache Airflow: pickle deserialization vulnerability in XComs
from 0, < 2.8.1
HIGH7.5Apache Airflow Celery provider Insertion of Sensitive Information into Log File vulnerability
>= 1.10.0, < 2.7.0
HIGH7.5apache-airflow-providers-apache-drill Improper Input Validation vulnerability
from 0, < 2.4.3
HIGH7.5Apache Airflow Drill Provider vulnerable to improper input validation
from 0, < 2.3.2
HIGH7.5Apache Airflow subject to Exposure of Sensitive Information
from 0, < 2.3.1
HIGH7.5Apache Airflow subject to Exposure of Sensitive Information
from 0, < 2.3.1
HIGH7.5Apache Airflow vulnerable to Use of Externally-Controlled Format String
>= 2.3.0, < 2.4.0rc1
HIGH7.5Apache Airflow vulnerable to Use of Externally-Controlled Format String
>= 2.3.0, < 2.4.0b1
HIGH7.5Improper Certificate Validation in Apache Airflow
from 0, < 1.10.1
HIGH7.5Improper Certificate Validation in Apache Airflow
from 0, < 1.10.1
HIGH7.3Apache Airflow: Arbitrary import in custom deadline-reference deserialization
from 0, < 3.2.2
HIGH7.2Apache Airflow allows code execution through crafted XCom payloads
from 0, < 3.2.0
MEDIUM6.5Apache Airflow: revoke_token() unreachable in FabAuthManager / KeycloakAuthManager logout path
from 0, < 3.2.2
MEDIUM6.5Apache Airflow: Arbitrary File Read via Log Symlink following in FileTaskHandler
from 0, < 3.2.2
MEDIUM6.5Apache Airflow: Rendered template truncation bypasses nested sensitive-key masking
from 0, < 3.2.2
MEDIUM6.5Apache Airflow: Incomplete Redaction of Sensitive Fields in Connection Extra API Response
from 0, < 3.2.2
MEDIUM6.5Apache Airlfow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access
from 0, < 3.1.8
MEDIUM6.5Apache Airflow has an authorization bypass in DagRun wait endpoint
>= 3.0.0, < 3.2.0
MEDIUM6.5Apache Airflow has an authorization bypass in DagRun wait endpoint
>= 3.0.0, < 3.2.0
MEDIUM6.5Apache Airflow exposes sensitive information in its log files
from 0, < 2.11.1
MEDIUM6.5Apache Airflow error reporting may expose full kwargs
from 0, < 2.11.1
MEDIUM6.5Apache Airflow Has an Authorization Bypass That Allows Unauthorized Task Log Access
>= 3.1.0, < 3.1.7
MEDIUM6.5Apache Airflow Has an Authorization Bypass That Allows Unauthorized Task Log Access
>= 3.1.0, < 3.1.7
MEDIUM6.5Apache Airflow UI Exposes DAG Import Errors to Unauthorized Authenticated Users
>= 3.0.0, < 3.1.7
MEDIUM6.5Apache Airflow UI Exposes DAG Import Errors to Unauthorized Authenticated Users
from 0, < 3.1.7
MEDIUM6.5Apache Airflow exposes secret values to authenticated UI users via rendered templates
>= 3.1.0, < 3.1.5
MEDIUM6.5Apache Airflow exposes secret values to authenticated UI users via rendered templates
>= 3.1.0, < 3.1.4
MEDIUM6.5Apache Airflow: Connection sensitive details exposed to users with READ permissions
from 0, <= 3.0.3-NA
MEDIUM6.5Apache Airflow: Connection sensitive details exposed to users with READ permissions
>= 3.0.3, < 3.0.4
MEDIUM6.5Apache Airflow vulnerable to Insertion of Sensitive Information Into Sent Data
from 0, < 2.10.3
MEDIUM6.5Apache Airflow CNCF Kubernetes provider, Apache Airflow: Kubernetes configuration file saved without encryption in the Metadata and logged as plain text in the Triggerer service
>= 2.3.0, < 2.6.1
MEDIUM6.5Apache Airflow: Bypass permission verification to read code of other dags
from 0, < 2.8.1rc1
MEDIUM6.5Apache Airflow: Bypass permission verification to read code of other dags
from 0, < 2.8.1
MEDIUM6.5Apache Airflow Improper Access Control vulnerability
from 0, < 2.8.0
MEDIUM6.5Apache Airflow Cross-Site Request Forgery vulnerability
>= 2.7.0, < 2.8.0b1
MEDIUM6.5Apache Airflow Improper Access Control vulnerability
from 0, < 2.8.0
MEDIUM6.5Apache Airflow Cross-Site Request Forgery vulnerability
>= 2.7.0, < 2.8.0
MEDIUM6.5Apache Airflow vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
from 0, < 2.7.3
MEDIUM6.5Apache Airflow vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
from 0, < 2.7.3
MEDIUM6.5Apache Airflow vulnerable to sensitive information exposure when users list warnings for all DAGs
from 0, < 2.7.2
MEDIUM6.5Apache Airflow vulnerable to sensitive information exposure
from 0, < 2.7.2
MEDIUM6.5Apache Airflow vulnerable to privilege escalation
from 0, < 2.7.2
MEDIUM6.5Apache Airflow vulnerable to sensitive information exposure
from 0, < 2.7.2
MEDIUM6.5Apache Airflow vulnerable to privilege escalation
from 0, < 2.7.2
MEDIUM6.5Apache Airflow vulnerable to sensitive information exposure when users list warnings for all DAGs
from 0, < 2.7.2
MEDIUM6.5Apache Airflow information exposure vulnerability
from 0, < 2.7.1
MEDIUM6.5Apache Airflow information exposure vulnerability
from 0, < 2.7.1
MEDIUM6.5Apache Airflow Improper Input Validation vulnerability
from 0, < 2.6.3
MEDIUM6.5Apache Airflow Improper Input Validation vulnerability
from 0, < 2.6.3
MEDIUM6.5Apache Airflow Path Traversal vulnerability
from 0, < 2.6.3
MEDIUM6.5Apache Airflow Incorrect Authorization vulnerability
from 0, < 2.6.3
MEDIUM6.5Apache Airflow Incorrect Authorization vulnerability
from 0, < 2.6.3
MEDIUM6.5Apache Airflow Improper Input Validation vulnerability
from 0, < 2.6.3
MEDIUM6.5Apache Airflow Path Traversal vulnerability
from 0, < 2.6.3
MEDIUM6.5Apache Airflow Improper Input Validation vulnerability
from 0, < 2.6.3
MEDIUM6.5Apache Airflow information disclosure vulnerability
from 0, < 2.6.3
MEDIUM6.5Apache Airflow information disclosure vulnerability
from 0, < 2.6.3
MEDIUM6.5Apache Airflow vulnerable to exposure of sensitive information
>= 2.5.0, < 2.6.2
MEDIUM6.5Apache Airflow vulnerable to exposure of sensitive information
>= 2.5.0, < 2.6.2rc1
MEDIUM6.5Improper Privilege Management in apache-airflow
>= 1.10.0, < 2.0.0b1, >= 2.0.0, < 2.2.0
MEDIUM6.5Improper Privilege Management in apache-airflow
from 0, < 2.2.0
MEDIUM6.5Improper Access Control in Apache Airflow
from 0, < 2.0.1
MEDIUM6.5Improper Access Control in Apache Airflow
>= 2.0.0, < 2.0.1rc1
MEDIUM6.1Apache Airflow Cross-site Scripting Vulnerability
from 0, < 2.10.0
MEDIUM6.1Apache Airflow Cross-site Scripting Vulnerability
from 0, < 2.10.0
MEDIUM6.1Apache Airflow Contains Open Redirect
from 0, < 2.4.3
MEDIUM6.1Apache Airflow Contains Open Redirect
from 0, < 2.4.3
MEDIUM6.1Apache Airflow Cross-site Scripting vulnerability
from 0, < 2.4.2rc1
MEDIUM6.1Apache Airflow Cross-site Scripting vulnerability
from 0, < 2.4.2
MEDIUM6.1Apache Airflow Open Redirect vulnerability
from 0, < 2.4.2rc1
MEDIUM6.1Apache Airflow Open Redirect vulnerability
from 0, < 2.4.2
MEDIUM6.1Apache Airflow contains open redirect
>= 2.3.0, < 2.4.0b1
MEDIUM6.1Apache Airflow contains open redirect
>= 2.3.0, < 2.4.0rc1
MEDIUM6.1Apache Airflow Reflected Cross-site Scripting vulnerability in 404 Endpoint
from 0, < 1.9.0
MEDIUM6.1Apache Airflow Reflected Cross-site Scripting vulnerability in 404 Endpoint
from 0, < 1.9.0
MEDIUM6.1Apache Airflow Cross-site Scripting Vulnerability
from 0, < 2.2.4rc1
MEDIUM6.1Apache Airflow Cross-site Scripting Vulnerability
from 0, < 2.2.4rc1
MEDIUM6.1Cross-site Scripting in Apache Airflow
>= 1.8.1, < 1.10.15, >= 2.0.0, < 2.0.2
MEDIUM6.1Cross-site Scripting in Apache Airflow
from 0, < 1.10.15
MEDIUM6.1Apache Airflow Cross-site Scripting
from 0, < 1.10.12
MEDIUM6.1Apache Airflow Cross-site Scripting
from 0, < 1.10.12
MEDIUM6.1Apache Airflow cross-site scripting due to incomplete fix for CVE-2020-13944
from 0, < 1.10.13
MEDIUM6.1Apache Airflow cross-site scripting due to incomplete fix for CVE-2020-13944
from 0, < 1.10.15rc1
MEDIUM6.1Stored XSS in Apache Airflow
from 0, < 1.10.11rc1
MEDIUM6.1Stored XSS in Apache Airflow
from 0, < 1.10.11
MEDIUM5.9Apache Airflow: JWT cookie missing Secure flag in JWTRefreshMiddleware behind HTTPS-terminating proxy
>= 3.0.0, < 3.2.2
MEDIUM5.9Apache Airflow: DAG Code and Import Error Permissions Ignored
from 0, < 2.8.2
MEDIUM5.9Apache Airflow: DAG Code and Import Error Permissions Ignored
from 0, < 2.8.2
MEDIUM5.9Apache Airflow missing Certificate Validation
from 0, < 2.7.0
MEDIUM5.5Apache Airflow does not return the "Cache-Control" header for dynamic content
from 0, < 2.9.2
MEDIUM5.5Apache Airflow does not return the "Cache-Control" header for dynamic content
from 0, < 2.9.2
MEDIUM5.5OS Command Injection in Apache Airflow
from 0, < 2.3.0
MEDIUM5.5Apache Airflow vulnerable to Stored XSS
from 0, < 1.10.2
MEDIUM5.5Apache Airflow vulnerable to Stored XSS
from 0, < 1.10.2
MEDIUM5.4Apache Airflow `/api/v2/dagReports` executes DAG Python in API
>= 3.0.0, < 3.1.1
MEDIUM5.4Apache Airflow Potential Cross-site Scripting Vulnerability
from 0, < 2.9.3
MEDIUM5.4Apache Airflow Potential Cross-site Scripting Vulnerability
from 0, < 2.9.3
MEDIUM5.4Apache Airflow: XSS vulnerability in Task Instance Log/Log Details
>= 2.9.0, < 2.9.1
MEDIUM5.4Apache Airflow: XSS vulnerability in Task Instance Log/Log Details
from 0, <= 2.9.0-NA, <= 2.9.0-beta1, <= 2.9.0-beta2, <= 2.9.0-rc1, <= 2.9.0-rc2, <= 2.9.0-rc3
MEDIUM5.4Apache Airflow has a stored cross-site scripting vulnerability
>= 2.6.0, < 2.8.0b1
MEDIUM5.4Apache Airflow has a stored cross-site scripting vulnerability
>= 2.6.0, < 2.8.0b1
MEDIUM5.4Apache Airflow vulnerable to stored Cross-site Scripting
from 0, < 2.6.0
MEDIUM5.4Apache Airflow vulnerable to stored Cross-site Scripting
from 0, < 2.6.0
MEDIUM5.4Multiple stored XSS in RBAC Admin screens in Apache Airflow
from 0, < 1.10.11rc1
MEDIUM5.4Multiple stored XSS in RBAC Admin screens in Apache Airflow
from 0, < 1.10.11
MEDIUM5.3Apache Airflow exposes SQL stack trace despite "api/expose_stack_traces" set to false
from 0, < 3.2.0
MEDIUM5.3Apache Airflow Improper Preservation of Permissions vulnerability
>= 2.8.2, < 2.8.4
MEDIUM5.3Sensitive Information in Error Messages in Apache Airflow
from 0, < 2.5.2
MEDIUM5.3Sensitive Information in Error Messages in Apache Airflow
from 0, < 2.5.2rc1
MEDIUM5.3Missing Authorization in Apache Airflow
from 0, < 2.1.2
MEDIUM5.3Missing Authorization in Apache Airflow
from 0, < 2.1.2
MEDIUM5.3Improper Authentication in Apache Airflow
>= 2.0.0, < 2.0.1rc1
MEDIUM5.3Improper Authentication in Apache Airflow
from 0, < 2.0.1
MEDIUM5.3SSRF vulnerability in Apache Airflow
from 0, < 1.10.13
MEDIUM5.3SSRF vulnerability in Apache Airflow
from 0, < 1.10.13
MEDIUM4.8Apache Airflow Provider for Databricks: TLS Certificate Verification is Disabled in Databricks Provider K8s Token Exchange
>= 1.10.0, < 1.12.0
MEDIUM4.8XSS in Apache Airflow
from 0, < 1.10.5
MEDIUM4.8XSS in Apache Airflow
from 0, < 1.10.5
MEDIUM4.8Apache Airflow vulnerable to XSS and local file disclosure
from 0, < 1.10.6rc1
MEDIUM4.8Apache Airflow vulnerable to Stored XSS
from 0, < 1.10.3
MEDIUM4.8Apache Airflow vulnerable to Stored XSS
from 0, < 1.10.3b1
MEDIUM4.7Apache Airflow: Incorrect Default Permissions in audit logs for Ops and Viewers users
from 0, < 2.8.2
MEDIUM4.7Apache Airflow: Incorrect Default Permissions in audit logs for Ops and Viewers users
from 0, < 2.8.2
MEDIUM4.7Apache Airflow exposes arbitrary file content
from 0, < 2.3.4
MEDIUM4.7Apache Airflow exposes arbitrary file content
from 0, < 2.3.4
MEDIUM4.6Apache Airflow has a command injection vulnerability in "example_dag_decorator"
>= 3.0.0, < 3.0.5
MEDIUM4.6Apache Airflow's create action can upsert existing Pools/Connections/Variables
>= 3.0.0, < 3.1.1
MEDIUM4.3Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints
>= 3.2.0, < 3.2.2
MEDIUM4.3Apache Airflow's asset dependency graph did not restrict nodes by the viewer's DAG read permissions
from 0, < 3.2.1rc1
MEDIUM4.3Apache Airflow's authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance record
from 0, < 3.2.1rc1
MEDIUM4.3Apache Airflow: DAG authorization bypass
>= 3.0.0, < 3.1.8
MEDIUM4.3Apache Airflow: DAG authorization bypass
>= 3.0.0, < 3.1.8
MEDIUM4.3Apache Airflow: Sensitive configuration for providers displayed when "non-sensitive-only" config used
>= 2.7.0, < 2.9.0
MEDIUM4.3Apache Airflow vulnerable to Exposure of Resource to Wrong Sphere
from 0, < 2.8.0
MEDIUM4.3Apache Airflow vulnerable to Exposure of Resource to Wrong Sphere
from 0, < 2.8.0
MEDIUM4.3Apache Airflow allows authenticated and DAG-view authorized users to modify some DAG run detail values when submitting notes
from 0, < 2.7.3
MEDIUM4.3Apache Airflow allows authenticated and DAG-view authorized users to modify some DAG run detail values when submitting notes
from 0, < 2.7.3
MEDIUM4.3Apache Airflow vulnerable to Exposure of Sensitive Information
>= 2.4.0, < 2.7.0
MEDIUM4.3Apache Airflow vulnerable to Exposure of Sensitive Information
>= 2.4.0, < 2.7.2
MEDIUM4.3Apache Airflow vulnerable to sensitive information exposure when expose-config is set to non-sensitive-only
>= 2.7.0, < 2.7.2
MEDIUM4.3Apache Airflow vulnerable to sensitive information exposure when expose-config is set to non-sensitive-only
>= 2.7.0, < 2.7.2
MEDIUM4.3Apache Airflow Incorrect Authorization vulnerability
from 0, < 2.7.1
MEDIUM4.3Apache Airflow Incorrect Authorization vulnerability
from 0, < 2.7.1
MEDIUM4.2Apache Airflow Providers FAB Insufficient Session Expiration vulnerability
from 0, <= 1.2.1, <= 1.2.0
LOW3.7Apache Airflow Exposes Secrets in Variables Saved as JSON Dictionaries
>= 3.0.0, < 3.2.0
LOW3.7Apache Airflow Exposes Secrets in Variables Saved as JSON Dictionaries
>= 3.0.0, < 3.2.0
LOW3.1Apache Airflow: Log server JWT authorization bypass via Python lstrip() character stripping allows cross-Dag log access
>= 3.0.0, < 3.2.2
LOW2.8Apache Airflow logs passwords in plaintext
from 0, < 1.10.13
LOW2.8Apache Airflow logs passwords in plaintext
from 0, < 1.10.13