Apache Airflow — CVE history (PyPI)
Apache Airflow
19 CVEs affect the Apache Airflow PyPI package (highest CVSS 9.1). Latest disclosed: 2026-06-01. Full CVE history sourced from NVD.
Summary
- Package
Apache Airflow(PyPI)- Total CVEs
19- Actively exploited (CISA KEV)
- 0
- Highest CVSS
9.1- Latest disclosed
- 2026-06-01
Recent CVEs (top 19)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-49298 | High | 8.8 | — | 2026-06-01 | A bug in Apache Airflow's KubernetesExecutor caused JWT tokens used by worker pods to authenticate against the Execution API to be passed to the worker container as command-line arguments visible in the pod spec. |
CVE-2026-49267 | Medium | 5.9 | — | 2026-06-01 | Apache Airflow's EmailOperator and the underlying `airflow.utils.email` helpers established SMTP STARTTLS connections without verifying the remote certificate when the deployment used `[email] smtp_starttls=True` without `[email] smtp_ssl`. |
CVE-2026-48726 | Medium | 6.5 | — | 2026-06-01 | A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying `r… |
CVE-2026-46764 | Medium | 4.3 | — | 2026-06-01 | The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit-log rows directly by numeric ID after only the generic Audit Log permission check, while the collection endpoint `GET /api/v2/eventLogs` a… |
CVE-2026-45426 | Low | 3.1 | — | 2026-06-01 | Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at least one Dag. |
CVE-2026-45360 | High | 7.3 | — | 2026-06-01 | Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-r… |
CVE-2026-42360 | Medium | 6.5 | — | 2026-06-01 | A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. |
CVE-2026-42359 | High | 8.8 | — | 2026-06-01 | A bug in Apache Airflow's XCom PATCH endpoint `PATCH /api/v2/xcomEntries/{key}` allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names (e.g. |
CVE-2026-42358 | Medium | 6.5 | — | 2026-06-01 | A bug in Apache Airflow's Variable response masker caused nested-key redaction (triggered by secret-suffixed key names like `password`, `token`, `secret`, `api_key`) to be bypassed when the JSON value's nesting depth exceeded the shared se… |
CVE-2026-42252 | Critical | 9.1 | — | 2026-06-01 | Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when triggering Dags") showed a verbatim `BashOperator(bash_command="echo value: {{ dag_run.conf['conf1'] }}")` example without any quoting / sani… |
CVE-2026-41084 | High | 7.5 | — | 2026-06-01 | A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances`) evaluated authorization against the `dag_id` resolved from the URL path while operating on the `dag_id` / `dag_run_… |
CVE-2026-41017 | Medium | 5.9 | — | 2026-06-01 | Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. |
CVE-2026-41014 | Medium | 4.3 | — | 2026-06-01 | The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. |
CVE-2026-40963 | Low | 3.1 | — | 2026-06-01 | The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. |
CVE-2026-40961 | High | 7.2 | — | 2026-06-01 | A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that bypassed the `is_safe_url` check, enabling redirection from a trusted Airflow domain to an attacker-controlled origin. |
CVE-2026-40861 | Medium | 6.5 | — | 2026-06-01 | A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack — e.g. |
CVE-2026-45192 | Medium | 6.5 | — | 2026-06-01 | A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenticated UI/API user with Connection-read permission to retrieve secrets stored in a Connection's `extra` JSON blob under field name… |
CVE-2026-41016 | Medium | 5.9 | — | 2026-04-30 | Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL context, so no certificate validation was performed on the TLS upgrade. |
CVE-2019-12398 | — | — | — | 2020-01-14 | In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. |
All-time worst (top 10 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-42252 | Critical | 9.1 | — | 2026-06-01 | Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when triggering Dags") showed a verbatim `BashOperator(bash_command="echo value: {{ dag_run.conf['conf1'] }}")` example without any quoting / sani… |
CVE-2026-49298 | High | 8.8 | — | 2026-06-01 | A bug in Apache Airflow's KubernetesExecutor caused JWT tokens used by worker pods to authenticate against the Execution API to be passed to the worker container as command-line arguments visible in the pod spec. |
CVE-2026-42359 | High | 8.8 | — | 2026-06-01 | A bug in Apache Airflow's XCom PATCH endpoint `PATCH /api/v2/xcomEntries/{key}` allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names (e.g. |
CVE-2026-41084 | High | 7.5 | — | 2026-06-01 | A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances`) evaluated authorization against the `dag_id` resolved from the URL path while operating on the `dag_id` / `dag_run_… |
CVE-2026-45360 | High | 7.3 | — | 2026-06-01 | Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-r… |
CVE-2026-40961 | High | 7.2 | — | 2026-06-01 | A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that bypassed the `is_safe_url` check, enabling redirection from a trusted Airflow domain to an attacker-controlled origin. |
CVE-2026-48726 | Medium | 6.5 | — | 2026-06-01 | A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying `r… |
CVE-2026-42360 | Medium | 6.5 | — | 2026-06-01 | A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. |
CVE-2026-42358 | Medium | 6.5 | — | 2026-06-01 | A bug in Apache Airflow's Variable response masker caused nested-key redaction (triggered by secret-suffixed key names like `password`, `token`, `secret`, `api_key`) to be bypassed when the JSON value's nesting depth exceeded the shared se… |
CVE-2026-40861 | Medium | 6.5 | — | 2026-06-01 | A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack — e.g. |