CVE-2020-17526

HIGH NUCLEI

Apache Airflow Webserver <1.10.14 - Info Disclosure

Title source: llm

Description

Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for `[webserver] secret_key` config.

Nuclei Templates (1)

Apache Airflow <1.10.14 - Authentication Bypass

HIGHVERIFIEDby piyushchhiroliya

Shodan: http.title:"airflow - dags" || http.html:"apache airflow" || http.title:"sign in - airflow" || product:"redis"

FOFA: Apache Airflow || apache airflow || title="airflow - dags" || http.html:"apache airflow" || title="sign in - airflow"

References (3)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2020/12/21/1

[Mailing List, Vendor Advisory] https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08d5a5730a4f8352%40%3Cannounce.apache.org%3E

Scores

CVSS v3 7.7

EPSS 0.9166

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Details

Status published

Products (2)

apache/airflow < 1.10.14

pypi/apache-airflow 0 - 1.10.14PyPI

Published Dec 21, 2020

Tracked Since Feb 18, 2026