CVE-2024-56373

CWE-94Code Injection5 documents5 sources
Severity
8.4HIGH
EPSS
0.0%
top 87.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache AirflowApache Airflow
Timeline
PublishedFeb 24

Description

DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (server-side) as a result of a user viewing historical task information. The functionality responsible for that (log template history) has been disabled by default in 2.11.1 and users should upgrade to Airflow 3 if they

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:HExploitability: 1.7 | Impact: 6.0

Affected Packages3 packages

NVDapache/airflow< 2.11.1
PyPIapache-airflow< 2.11.1

🔴Vulnerability Details

3
OSV
Apache Airflow vulnerable to Code Injection in the web-server context via LogTemplate table2026-02-24
GHSA
Apache Airflow vulnerable to Code Injection in the web-server context via LogTemplate table2026-02-24
CVEList
Apache Airflow: SSTI to Code Execution in Airflow through Shared DB Information2026-02-24

🕵️Threat Intelligence

1
Wiz
CVE-2024-56373 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2024-56373 (HIGH CVSS 8.4) | DAG Author (who already has quite a | cvebase.io