Apache Software Foundation Apache Airflow vulnerabilities

CVE-2026-41084 [HIGH] CWE-639 CVE-2026-41084: A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_ A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances`) evaluated authorization against the `dag_id` resolved from the URL path while operating on the `dag_id` / `dag_run_id` extracted from request-body entity fields. An authenticated UI/API user with edit permission on one Dag could

CVE-2026-40961 [HIGH] CWE-601 CVE-2026-40961: A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that b A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that bypassed the `is_safe_url` check, enabling redirection from a trusted Airflow domain to an attacker-controlled origin. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deployment operators can place Airfl

CVE-2026-45360 [HIGH] CWE-502 CVE-2026-45360: Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_r Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — the default on single-host deployments where the DAG

CVE-2026-41014 [MEDIUM] CWE-862 CVE-2026-41014: The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not p The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to read. Affects deployments that rely on per-Dag read

CVE-2026-45192 [MEDIUM] CWE-200 CVE-2026-45192: A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed a A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenticated UI/API user with Connection-read permission to retrieve secrets stored in a Connection's `extra` JSON blob under field names not present in the redaction allowlist (`DEFAULT_SENSITIVE_FIELDS`) — for example, official Slack-provider cre

CVE-2026-41017 [MEDIUM] CWE-614 CVE-2026-41017: Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deploy Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. nginx / Envoy / a managed load balancer that terminates TLS and forwards plaintext to the API server, the default cloud-native topology) would have the user's session

CVE-2026-40861 [MEDIUM] CWE-59 CVE-2026-40861: A Dag author could either (a) create a symlink under their task's log directory pointing to an arbit A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack — e.g. `/etc/passwd` or `airflow.cfg`) or (b) supply a `task_id` containing `..` sequences accepted by the Task SDK's `KEY_REGEX` (write-path attack), and in both cases the FileTaskHandler

CVE-2026-46764 [MEDIUM] CWE-639 CVE-2026-46764: The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit-log rows directly by numeric ID after only the generic Audit Log permission check, while the collection endpoint `GET /api/v2/eventLogs` applied per-Dag scoping. An authenticated UI/API user with audit-log read permission for one Dag could retrieve a

CVE-2026-40963 [LOW] CWE-285 CVE-2026-40963: The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Da The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other Dags they were not authorized to read. Affects deploymen

CVE-2026-45426 [LOW] CWE-863 CVE-2026-45426: Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at least one Dag. Apache Airflow's Log server authorized JWT tokens against Dag IDs by applying Python's `str.lstrip()` to the requested path segment when verifying the JWT's `sub` claim. `str.lstrip()` strips any of a *set* of cha

CVE-2026-27173 [HIGH] CWE-538 CVE-2026-27173: JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of Airflow Database for tasks.

CVE-2026-41016 [MEDIUM] CWE-295 CVE-2026-41016: Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL c Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate, complete the STARTTLS upgrade, and capture the SMTP credentials sent dur

CVE-2026-38743 [MEDIUM] CWE-1220 CVE-2026-38743: The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the- The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts (including their request parameters) and full TaskInstance details for DAGs outside their authorized scope. Because HITL p

CVE-2026-40690 [MEDIUM] CWE-1220 CVE-2026-40690: The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope. Users are recommended to upgrade to version 3.2.1, which fixes thi

CVE-2026-30912 [HIGH] CWE-668 CVE-2026-30912: In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_ In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.

CVE-2026-25917 [HIGH] CWE-502 CVE-2026-25917: Dag Authors, who normally should not be able to execute code in the webserver context could craft XC Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.

CVE-2026-32228 [HIGH] CWE-863 CVE-2026-32228: UI / API User with asset materialize permission could trigger dags they had no access to. Users are UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.

CVE-2026-30898 [HIGH] CWE-77 CVE-2026-30898: An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the w An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should review if any of their own DAGs have adopted this incorrect advice.

CVE-2026-32690 [LOW] CWE-668 CVE-2026-32690: Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented

CVE-2026-31987 [HIGH] CWE-532 CVE-2026-31987: JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Use JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue.