CVSS: 2.3EPSS: 0%CPEs: 2EXPL: 0CVE-2026-32642 – Apache Artemis, Apache ActiveMQ Artemis: Temporary address auto-created for OpenWire consumer without createAddress permission
https://notcve.org/view.php?id=CVE-2026-32642
24 Mar 2026 — Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that doesn't exist with an authenticated user which has the "createDurableQueue" permission but does not have the "createAddress" permission and address auto-creation is disabled. In this circumstance, a temporary address will be created whereas the attempt to create the non-durable subscription... • https://lists.apache.org/thread/4wlrp31ngq2yb54sf4kjb3bl41t4xgtp • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2026-28563 – Apache Airflow: DAG authorization bypass
https://notcve.org/view.php?id=CVE-2026-28563
17 Mar 2026 — Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue. • https://github.com/apache/airflow/pull/62046 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2026-26929 – Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata
https://notcve.org/view.php?id=CVE-2026-26929
17 Mar 2026 — Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to "~" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue. • https://github.com/apache/airflow/pull/61675 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2026-30911 – Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization
https://notcve.org/view.php?id=CVE-2026-30911
17 Mar 2026 — Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue. • https://github.com/apache/airflow/pull/62886 • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2026-28779 – Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications
https://notcve.org/view.php?id=CVE-2026-28779
17 Mar 2026 — Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regardless of the configured [webserver] base_url or [api] base_url. This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, allowing full session takeover without attacking Airflow itself. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue. • https://github.com/apache/airflow/pull/62771 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-54920 – Apache Spark: Spark History Server Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-54920
14 Mar 2026 — This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command executi... • https://github.com/apache/spark/pull/51312 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-60012 – Apache Livy: Restrict file access
https://notcve.org/view.php?id=CVE-2025-60012
13 Mar 2026 — Malicious configuration can lead to unauthorized file access in Apache Livy. This issue affects Apache Livy 0.7.0 and 0.8.0 when connecting to Apache Spark 3.1 or later. A request that includes a Spark configuration value supported from Apache Spark version 3.1 can lead to users gaining access to files they do not have permissions to. For the vulnerability to be exploitable, the user needs to have access to Apache Livy's REST or JDBC interface and be able to send requests with arbitrary Spark configuration ... • https://lists.apache.org/thread/gpc85fwrgrbglpk9gm8tmcjzqnctx64w • CWE-20: Improper Input Validation •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-66249 – Apache Livy: Unauthorized directory access
https://notcve.org/view.php?id=CVE-2025-66249
13 Mar 2026 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy. This issue affects Apache Livy: from 0.3.0 before 0.9.0. The vulnerability can only be exploited with non-default Apache Livy Server settings. If the configuration value "livy.file.local-dir-whitelist" is set to a non-default value, the directory checking can be bypassed. Users are recommended to upgrade to version 0.9.0, which fixes the issue. • https://lists.apache.org/thread/1xwphsfn4jbtym4k4o0zlvwfogwqwwc3 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23907 – Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code
https://notcve.org/view.php?id=CVE-2026-23907
10 Mar 2026 — This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6. The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because the filename that is obtained from PDComplexFileSpecification.getFilename() is appended to the extraction path. Users who have copied this example into their production code should review it to ensure that the extraction path is acceptable. The example has been changed accordingly, now the initial... • https://github.com/JoakimBulow • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2026-25604 – Apache Airflow AWS Auth Manager - Host Header Injection Leading to SAML Authentication Bypass
https://notcve.org/view.php?id=CVE-2026-25604
09 Mar 2026 — In AWS Auth manager, the origin of the SAML authentication has been used as provided by the client and not verified against the actual instance URL. This allowed to gain access to different instances with potentially different access controls by reusing SAML response from other instances. You should upgrade to 9.22.0 version of provider if you use AWS Auth Manager. En el gestor de AWS Auth, el origen de la autenticación SAML se ha utilizado tal como lo proporcionó el cliente y no se ha verificado contra la ... • https://github.com/apache/airflow/pull/61368 • CWE-346: Origin Validation Error •