Nixpkgs security tracker

Login with GitHub

Suggestions search

Published
Filter by:
With package: apache-airflow

Found 6 matching suggestions

View:
Compact
Detailed
Permalink CVE-2024-56373
8.4 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 1 month, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 1 week ago
  • @LeSuisse published on GitHub 1 month, 1 week ago
Apache Airflow: SSTI to Code Execution in Airflow through Shared DB Information

DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (server-side) as a result of a user viewing historical task information. The functionality responsible for that (log template history) has been disabled by default in 2.11.1 and users should upgrade to Airflow 3 if they want to continue to use log template history. They can also manually modify historical log file names if they want to see historical logs that were generated before the last log template change.

Affected products

apache-airflow
  • <2.11.1

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

Package maintainers

Upstream announcement: https://lists.apache.org/thread/2vrmrhcht6g7cp5yjxpnrk2wtrncm6cy
Permalink CVE-2025-27555
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 month, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 1 week ago
Apache Airflow: Connection Secrets not masked in UI when Connection are added via Airflow cli

Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.11.1 or a later version, which addresses this issue. Users who previously used the CLI to set connections should manually delete entries with those connection sensitive values from the log table. This is similar but not the same issue as CVE-2024-50378

Affected products

apache-airflow
  • <2.11.1

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

Package maintainers

Upstream announcement: https://lists.apache.org/thread/nxovkp319jo8vg498gql1yswtb2frbkw
Upstream patch: https://github.com/apache/airflow/commit/3adfc6c40ef552608c9fc05e01b27ef3cac5006a
Permalink CVE-2025-65995
updated 1 month, 2 weeks ago by @mweinelt Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @mweinelt accepted 1 month, 2 weeks ago
  • @mweinelt published on GitHub 1 month, 2 weeks ago
Apache Airflow: Disclosure of secrets to UI via kwargs

When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG.  The issue has been fixed in Airflow 3.1.4 and 2.11.1, and users are strongly advised to upgrade to prevent potential disclosure of sensitive information.

Affected products

apache-airflow
  • <3.1.4
  • <2.11.1

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

Package maintainers

http://www.openwall.com/lists/oss-security/2025/12/12/2
https://lists.apache.org/thread/1qzlrjo2wmlzs0rrgzgslj2pzkor0dr2
https://github.com/apache/airflow/pull/58252
https://github.com/apache/airflow/pull/61883
Permalink CVE-2026-24098
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse accepted 2 months ago
  • @LeSuisse published on GitHub 2 months ago
Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors

Apache Airflow versions before 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue

Affected products

apache-airflow
  • <3.1.7

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

Package maintainers

Upstream announcement: https://lists.apache.org/thread/nx96435v77xdst7ls5lk57kqvqyj095x
Permalink CVE-2026-22922
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months ago
  • @LeSuisse accepted 2 months ago
  • @LeSuisse published on GitHub 2 months ago
Apache Airflow: Airflow externalLogUrl Permission Bypass

Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access. Users are recommended to upgrade to Apache Airflow 3.1.7 or later, which resolves this issue.

Affected products

apache-airflow
  • <3.1.7

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

Package maintainers

Upstream announcement: https://lists.apache.org/thread/gdb7vffhpmrj5hp1j0oj1j13o4vmsq40
Permalink CVE-2025-68675
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 3 weeks ago
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago
Apache Airflow: proxy credentials for various providers might leak in task logs

In Apache Airflow versions before 3.1.6, the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed. Users are recommended to upgrade to 3.1.6 or later, which fixes this issue

Affected products

apache-airflow
  • <3.1.6

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

Package maintainers

Upstream advisory: https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5