CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-66388 – Apache Airflow: Secrets in rendered templates not redacted properly and exposed in the UI
https://notcve.org/view.php?id=CVE-2025-66388
15 Dec 2025 — A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization. Users are recommended to upgrade to version 3.1.4, which fixes this issue. • https://github.com/apache/airflow/pull/58772 • CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-54941 – Apache Airflow: Command injection in "example_dag_decorator"
https://notcve.org/view.php?id=CVE-2025-54941
30 Oct 2025 — An example dag `example_dag_decorator` had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production (not default) or the example dag code copied to build your own similar dag. If you used the `example_dag_decorator` please review it and apply the changes implemented in Airflow 3.0.5 accordingly. • https://lists.apache.org/thread/c6q6nofc6xl5bms039ks9b34v0v36df1 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-62402 – Apache Airflow: Airflow 3 API: /api/v2/dagReports executes DAG Python in API
https://notcve.org/view.php?id=CVE-2025-62402
30 Oct 2025 — API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available. • https://lists.apache.org/thread/vbzxnxn031wb998hsd7vqnvh4z8nx6rs • CWE-250: Execution with Unnecessary Privileges •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-62503 – Apache Airflow: Privilege boundary bypass in bulk APIs (create action can upsert existing Pools/Connections/Variables)
https://notcve.org/view.php?id=CVE-2025-62503
30 Oct 2025 — User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action. • https://lists.apache.org/thread/3v58249qscyn1hg240gh8hqg9pb4okcr • CWE-250: Execution with Unnecessary Privileges •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-54831 – Apache Airflow: Connection sensitive details exposed to users with READ permissions
https://notcve.org/view.php?id=CVE-2025-54831
26 Sep 2025 — Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a "write-only" model for sensitive values. In Airflow 3.0.3, this model was unintentionally violated: sensitive connection information could be viewed by users with READ permissions through both the API and the UI. This behavior also bypassed the `AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS` configur... • https://lists.apache.org/thread/vblmfqtydrp5zgn2q8tj3slk5podxspf • CWE-213: Exposure of Sensitive Information Due to Incompatible Policies •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-50213 – Apache Airflow Providers Snowflake: Potential SQL injection in CopyFromExternalStageToSnowflakeOperator
https://notcve.org/view.php?id=CVE-2025-50213
24 Jun 2025 — Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) vulnerability in Apache Airflow Providers Snowflake. This issue affects Apache Airflow Providers Snowflake: before 6.4.0. Sanitation of table and stage parameters were added in CopyFromExternalStageToSnowflakeOperator to prevent SQL injection Users are recommended to upgrade to version 6.4.0, which fixes the issue. Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) vulnerability in Ap... • https://github.com/apache/airflow/pull/51734 • CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30473 – Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection
https://notcve.org/view.php?id=CVE-2025-30473
07 Apr 2025 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow Common SQL Provider. When using the partition clause in SQLTableCheckOperator as parameter (which was a recommended pattern), Authenticated UI User could inject arbitrary SQL command when triggering DAG exposing partition_clause to the user. This allowed the DAG Triggering user to escalate privileges to execute those arbitrary commands which they normally would not have. This issue affects Ap... • https://github.com/apache/airflow/pull/48098 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27018 – Apache Airflow MySQL Provider: SQL injection in MySQL provider core function
https://notcve.org/view.php?id=CVE-2025-27018
19 Mar 2025 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider. When user triggered a DAG with dump_sql or load_sql functions they could pass a table parameter from a UI, that could cause SQL injection by running SQL that was not intended. It could lead to data corruption, modification and others. This issue affects Apache Airflow MySQL Provider: before 6.2.0. Users are recommended to upgrade to version 6.2.0, which fixes the issue. Vulner... • https://github.com/apache/airflow/pull/47254 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.1EPSS: 1%CPEs: 1EXPL: 0CVE-2024-45033 – Apache Airflow Fab Provider: Application does not invalidate session after password change via Airflow cli
https://notcve.org/view.php?id=CVE-2024-45033
08 Jan 2025 — Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider. This issue affects Apache Airflow Fab Provider: before 1.5.2. When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expiration, thus logged users could continue to be logged in even after the password was changed. This only happened when the password was changed with CLI. The problem does not happen in case change was done with webserver thus this is d... • https://github.com/apache/airflow/pull/45139 • CWE-613: Insufficient Session Expiration •
CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 0CVE-2024-45784 – Apache Airflow: Sensitive configuration values are not masked in the logs by default
https://notcve.org/view.php?id=CVE-2024-45784
15 Nov 2024 — Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exp... • https://github.com/apache/airflow/pull/43040 • CWE-1295: Debug Messages Revealing Unnecessary Information •