CVE-2020-13927

CRITICAL KEV NUCLEI

Apache Airflow < 1.10.11 - Unauthenticated Remote Code Execution via Experimental API

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-13927 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 18, 2022. EIP tracks 2 public exploits from researchers including Pepe Berba, xuxiang, Pepe Berba, Ismail E. Dawoodjee, including a Metasploit module exploits/linux/http/apache_airflow_dag_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages CVE-2020-11978 and CVE-2020-13927 to achieve unauthenticated remote code execution in Apache Airflow versions <= 1.10.10 by manipulating the Experimental API to trigger a vulnerable example DAG.

Description

The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default

Exploits (2)

exploitdb WORKING POC
by Pepe Berba · pythonwebappsmultiple
https://www.exploit-db.com/exploits/49927

This exploit leverages CVE-2020-11978 and CVE-2020-13927 to achieve unauthenticated remote code execution in Apache Airflow versions <= 1.10.10 by manipulating the Experimental API to trigger a vulnerable example DAG.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Airflow <= 1.10.10
No auth needed
Prerequisites: Access to the Airflow Experimental API · Example DAGs enabled in the target Airflow instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by xuxiang, Pepe Berba, Ismail E. Dawoodjee · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_airflow_dag_rce.rb

This Metasploit module exploits CVE-2020-13927 and CVE-2020-11978 in Apache Airflow 1.10.10, combining unauthenticated API access with a command injection vulnerability in an example DAG to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Airflow 1.10.10
No auth needed
Prerequisites: Access to the Airflow Experimental REST API · Example DAGs must be loaded and unpaused
devstral-2 · analyzed Apr 22, 2026 Full analysis →

Nuclei Templates (1)

Airflow Experimental <1.10.11 - REST API Auth Bypass
CRITICALVERIFIEDby pdteam
Shodan: title:"Airflow - DAGs" || http.html:"Apache Airflow" || http.title:"airflow - dags" || http.html:"apache airflow" || http.title:"sign in - airflow" || product:"redis"
FOFA: title="sign in - airflow" || apache airflow || title="airflow - dags" || http.html:"apache airflow"

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.9410
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-01-18
VulnCheck KEV 2022-01-18
InTheWild.io 2021-09-17
ENISA EUVD EUVD-2020-0037
CWE
CWE-306 CWE-1188 CWE-1056
Status published
Products (2)
apache/airflow < 1.10.11
pypi/apache-airflow 0 - 1.10.11PyPI
Published Nov 10, 2020
KEV Added Jan 18, 2022
Tracked Since Feb 18, 2026