Vulnerabilities

Aggregated CVE / GHSA / KEV / OSV — filter by tag and category.

Filtering: Group: vendors Tag: airflow Clear
ID Title
CVE-2026-46764 Vulnerability in airflow (CVE-2026-46764)
vulnerability in airflow (CVE-2026-46764). Risk of unauthorized operations or information disclosure. Exploitable via `GET /api/v2/eventLogs/{event_log_id}`. Mitigation: upgrade to `3.2.2` or later.
CVE-2026-49267 Vulnerability in airflow (CVE-2026-49267)
vulnerability in airflow (CVE-2026-49267). Confidential information can be exposed externally. Exploitable via ``airflow.utils.email``. Mitigation: upgrade to `3.2.2` or later.
CVE-2026-49298 Vulnerability in airflow (CVE-2026-49298)
vulnerability in airflow (CVE-2026-49298). Successful exploitation can lead to full system takeover. Exploitable via ``KubernetesExecutor``. Mitigation: upgrade to `3.2.2` or later.
CVE-2026-48726 Vulnerability in apache-airflow (CVE-2026-48726)
vulnerability in apache-airflow (CVE-2026-48726). Confidential information can be exposed externally. Exploitable via ``FabAuthManager``. Mitigation: upgrade to `3.2.2` or later.
CVE-2026-42358 Information Disclosure in airflow (CVE-2026-42358)
vulnerability in airflow (CVE-2026-42358). Confidential information can be exposed externally. Exploitable via ``password``. Mitigation: upgrade to `3.2.2` or later.
CVE-2026-45360 Unsafe Deserialization in apache-airflow (CVE-2026-45360)
vulnerability in apache-airflow (CVE-2026-45360). Risk of unauthorized operations or information disclosure. Exploitable via ``DeadlineReference``. Mitigation: upgrade to `3.2.2` or later.
CVE-2026-42359 Unsafe Deserialization in apache-airflow (CVE-2026-42359)
vulnerability in apache-airflow (CVE-2026-42359). Successful exploitation can lead to full system takeover. Exploitable via `PATCH /api/v2/xcomEntries/{key}`. Mitigation: upgrade to `3.2.2` or later.
CVE-2026-42252 Vulnerability in apache-airflow (CVE-2026-42252)
vulnerability in apache-airflow (CVE-2026-42252). Confidential information can be exposed externally. Exploitable via ``Dag.can_trigger``. Mitigation: upgrade to `3.2.2` or later.
CVE-2026-45426 Authorization Flaw in apache-airflow (CVE-2026-45426)
vulnerability in apache-airflow (CVE-2026-45426). Risk of unauthorized operations or information disclosure. Exploitable via ``sub``. Mitigation: upgrade to `3.2.2` or later.
CVE-2026-41084 Vulnerability in apache-airflow (CVE-2026-41084)
vulnerability in apache-airflow (CVE-2026-41084). Data can be tampered with by attackers. Exploitable via `DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances`. Mitigation: upgrade to `3.2.2` or later.
CVE-2026-42360 Information Disclosure in apache-airflow (CVE-2026-42360)
vulnerability in apache-airflow (CVE-2026-42360). Confidential information can be exposed externally. Exploitable via ``password``. Mitigation: upgrade to `3.2.2` or later.
CVE-2026-40861 Vulnerability in apache-airflow (CVE-2026-40861)
vulnerability in apache-airflow (CVE-2026-40861). Confidential information can be exposed externally. Exploitable via ``airflow.cfg``. Mitigation: upgrade to `3.2.2` or later.
CVE-2026-40963 Vulnerability in airflow (CVE-2026-40963)
vulnerability in airflow (CVE-2026-40963). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `3.2.2` or later.
CVE-2026-40961 Open Redirect in airflow (CVE-2026-40961)
vulnerability in airflow (CVE-2026-40961). Risk of unauthorized operations or information disclosure. Exploitable via ``is_safe_url``. Mitigation: upgrade to `3.2.2` or later.
CVE-2026-41014 Vulnerability in apache-airflow (CVE-2026-41014)
vulnerability in apache-airflow (CVE-2026-41014). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `3.2.2` or later.
CVE-2026-41017 Vulnerability in apache-airflow (CVE-2026-41017)
vulnerability in apache-airflow (CVE-2026-41017). Confidential information can be exposed externally. Exploitable via ``JWTRefreshMiddleware``. Mitigation: upgrade to `3.2.2` or later.
CVE-2026-45192 Information Disclosure in apache-airflow (CVE-2026-45192)
vulnerability in apache-airflow (CVE-2026-45192). Confidential information can be exposed externally. Exploitable via ``extra``. Mitigation: upgrade to `3.2.2` or later.
CVE-2023-51702 Vulnerability in apache (CVE-2023-51702)
vulnerability in apache (CVE-2023-51702). Confidential information can be exposed externally.
CVE-2020-11978 KEV [KEV] OS Command Injection in Apache airflow (CVE-2020-11978)
OS command injection in Apache airflow (CVE-2020-11978). Risk of unauthorized operations or information disclosure. Listed in CISA KEV — actively exploited.

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →