CVE-2020-11981

CRITICAL NUCLEI LAB

Apache Airflow < 1.10.10 - OS Command Injection via CeleryExecutor

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-11981. PoCs published by Evillm. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2020-11981, a command injection vulnerability in Apache Airflow (versions 1.10.10 and below) when using CeleryExecutor with Redis as a broker. It sends a crafted Redis message to trigger an ICMP pingback, confirming vulnerability.

Description

An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.

Exploits (1)

nomisec WORKING POC

by Evillm · poc

https://github.com/Evillm/CVE-2020-11981-PoC

View Code ZIP pw:eip

This PoC exploits CVE-2020-11981, a command injection vulnerability in Apache Airflow (versions 1.10.10 and below) when using CeleryExecutor with Redis as a broker. It sends a crafted Redis message to trigger an ICMP pingback, confirming vulnerability.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Airflow <= 1.10.10 with CeleryExecutor and Redis

No auth needed

Prerequisites: Access to Redis broker · CeleryExecutor configured in Airflow

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Apache Airflow <=1.10.10 - Command Injection

CRITICALVERIFIEDby pussycat0x

Shodan: product:"redis" || http.title:"airflow - dags" || http.html:"apache airflow" || http.title:"sign in - airflow"

FOFA: apache airflow || title="airflow - dags" || http.html:"apache airflow" || title="sign in - airflow"

References (1)

Core 1

Core References

Mailing List, Vendor Advisory x_refsource_misc

https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.9159

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull apache/airflow:1.10.10

docker pull airflow-custom:latest

https://github.com/Evillm/CVE-2020-11981-PoC

View in Library

Details

CWE

CWE-78

Status published

Products (2)

apache/airflow < 1.10.10

pypi/apache-airflow 0 - 1.10.11rc1PyPI

Published Jul 17, 2020

Tracked Since Feb 18, 2026