Apache Airflow vulnerabilities

CVE-2026-42252 [CRITICAL] CVE-2026-42252: Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when tr Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when triggering Dags") showed a verbatim `BashOperator(bash_command="echo value: {{ dag_run.conf['conf1'] }}")` example without any quoting / sanitization warning. Dag authors who copied the pattern verbatim into deployments where users had `Dag.can_trigger` permi

CVE-2026-41084 [HIGH] CWE-639 CVE-2026-41084: A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_ A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances`) evaluated authorization against the `dag_id` resolved from the URL path while operating on the `dag_id` / `dag_run_id` extracted from request-body entity fields. An authenticated UI/API user with edit permission on one Dag could

CVE-2026-40961 [HIGH] CWE-601 CVE-2026-40961: A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that b A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that bypassed the `is_safe_url` check, enabling redirection from a trusted Airflow domain to an attacker-controlled origin. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deployment operators can place Airfl

CVE-2026-41014 [MEDIUM] CWE-862 CVE-2026-41014: The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not p The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to read. Affects deployments that rely on per-Dag read

CVE-2026-42360 [MEDIUM] CVE-2026-42360: A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. nested `password` / `token` / `secret` / `api_key` keys inside a JSON template structure) to be bypassed when the rendered field exceeded `[core] max_templated_field_length`: Airflow stringified the structure before redaction, losing the nested key context,

CVE-2026-42358 [MEDIUM] CVE-2026-42358: A bug in Apache Airflow's Variable response masker caused nested-key redaction (triggered by secret- A bug in Apache Airflow's Variable response masker caused nested-key redaction (triggered by secret-suffixed key names like `password`, `token`, `secret`, `api_key`) to be bypassed when the JSON value's nesting depth exceeded the shared secrets masker's recursion limit: the masker returned the original nested item before checking the sensitive key name. An

CVE-2026-45192 [MEDIUM] CWE-200 CVE-2026-45192: A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed a A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenticated UI/API user with Connection-read permission to retrieve secrets stored in a Connection's `extra` JSON blob under field names not present in the redaction allowlist (`DEFAULT_SENSITIVE_FIELDS`) — for example, official Slack-provider cre

CVE-2026-41017 [MEDIUM] CWE-614 CVE-2026-41017: Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deploy Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. nginx / Envoy / a managed load balancer that terminates TLS and forwards plaintext to the API server, the default cloud-native topology) would have the user's session

CVE-2026-40861 [MEDIUM] CWE-59 CVE-2026-40861: A Dag author could either (a) create a symlink under their task's log directory pointing to an arbit A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack — e.g. `/etc/passwd` or `airflow.cfg`) or (b) supply a `task_id` containing `..` sequences accepted by the Task SDK's `KEY_REGEX` (write-path attack), and in both cases the FileTaskHandler

CVE-2026-46764 [MEDIUM] CWE-639 CVE-2026-46764: The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit-log rows directly by numeric ID after only the generic Audit Log permission check, while the collection endpoint `GET /api/v2/eventLogs` applied per-Dag scoping. An authenticated UI/API user with audit-log read permission for one Dag could retrieve a

CVE-2026-40963 [LOW] CWE-285 CVE-2026-40963: The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Da The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other Dags they were not authorized to read. Affects deploymen

CVE-2026-45426 [LOW] CWE-863 CVE-2026-45426: Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at least one Dag. Apache Airflow's Log server authorized JWT tokens against Dag IDs by applying Python's `str.lstrip()` to the requested path segment when verifying the JWT's `sub` claim. `str.lstrip()` strips any of a *set* of cha

CVE-2026-41016 [MEDIUM] CWE-295 CVE-2026-41016: Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL c Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate, complete the STARTTLS upgrade, and capture the SMTP credentials sent dur

CVE-2026-38743 [MEDIUM] CWE-1220 CVE-2026-38743: The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the- The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts (including their request parameters) and full TaskInstance details for DAGs outside their authorized scope. Because HITL p

CVE-2026-40690 [MEDIUM] CWE-1220 CVE-2026-40690: The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope. Users are recommended to upgrade to version 3.2.1, which fixes thi

CVE-2026-30912 [HIGH] CWE-668 CVE-2026-30912: In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_ In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.

CVE-2026-25917 [HIGH] CWE-502 CVE-2026-25917: Dag Authors, who normally should not be able to execute code in the webserver context could craft XC Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.

CVE-2026-32228 [HIGH] CWE-863 CVE-2026-32228: UI / API User with asset materialize permission could trigger dags they had no access to. Users are UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.

CVE-2026-30898 [HIGH] CWE-77 CVE-2026-30898: An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the w An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should review if any of their own DAGs have adopted this incorrect advice.

CVE-2026-32690 [LOW] CWE-668 CVE-2026-32690: Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented