CVE-2020-11978

HIGH KEV NUCLEI LAB

Apache Airflow < 1.10.11 - Authenticated Remote Code Execution via Example DAG

Title source: llm

Exploitation Summary

CVE-2020-11978 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 18, 2022. EIP tracks 3 public exploits from researchers including pberba, xuxiang, Pepe Berba, Ismail E. Dawoodjee, including a Metasploit module exploits/linux/http/apache_airflow_dag_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2020-11978, a remote code execution vulnerability in Apache Airflow's example DAGs. The exploit leverages command injection in the `example_trigger_target_dag` via the experimental REST API, which can be accessed unauthenticated when combined with CVE-2020-13927.

Description

An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.

Exploits (3)

nomisec WORKING POC 8 stars

by pberba · remote

https://github.com/pberba/CVE-2020-11978

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2020-11978, a remote code execution vulnerability in Apache Airflow's example DAGs. The exploit leverages command injection in the `example_trigger_target_dag` via the experimental REST API, which can be accessed unauthenticated when combined with CVE-2020-13927.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Apache Airflow <1.10.11

No auth needed

Prerequisites: Airflow instance with example DAGs loaded · Access to the experimental REST API (unauthenticated if CVE-2020-13927 is present)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

pythonwebappsmultiple

https://www.exploit-db.com/exploits/49927

View Code ZIP pw:eip

This exploit leverages CVE-2020-11978 in Apache Airflow <= 1.10.10 by injecting a command into the 'example_trigger_target_dag' via the Experimental REST API, achieving remote code execution. It combines with CVE-2020-13927 for unauthenticated access.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Airflow <= 1.10.10

No auth needed

Prerequisites: Access to the Experimental REST API · Example DAGs enabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by xuxiang, Pepe Berba, Ismail E. Dawoodjee · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_airflow_dag_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2020-11978, an authenticated command injection vulnerability in Apache Airflow 1.10.10, combined with CVE-2020-13927 (unauthenticated API access) to achieve unauthenticated RCE. It creates a vulnerable DAG and injects commands via the 'example_trigger_target_dag' example.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Airflow 1.10.10

No auth needed

Prerequisites: Apache Airflow 1.10.10 with default settings · Experimental REST API enabled · Example DAGs loaded

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

Apache Airflow <=1.10.10 - Remote Code Execution

HIGHVERIFIEDby pdteam

Shodan:

title:"Airflow - DAGs" || http.html:"Apache Airflow" || http.title:"airflow - dags" || http.html:"apache airflow" || http.title:"sign in - airflow" || product:"redis"

FOFA: title="sign in - airflow" || apache airflow || title="airflow - dags" || http.html:"apache airflow"

References (4)

Core 4

Core References

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/162908/Apache-Airflow-1.10.10-Remote-Code-Execution.html

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/174764/Apache-Airflow-1.10.10-Remote-Code-Execution.html

Mailing List, Vendor Advisory

https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-11978

Scores

CVSS v3 8.8

EPSS 0.9427

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull apache/airflow:1.10.10

https://github.com/pberba/CVE-2020-11978

https://github.com/rapid7/metasploit-framework

View in Library

Details

CISA KEV 2022-01-18

VulnCheck KEV 2022-01-18

InTheWild.io 2021-09-17

ENISA EUVD EUVD-2020-0032

CWE

CWE-78

Status published

Products (2)

apache/airflow < 1.10.11

pypi/apache-airflow 0 - 1.10.11rc1PyPI

Published Jul 17, 2020

KEV Added Jan 18, 2022

Tracked Since Feb 18, 2026