CVE-2021-26559
MEDIUMApache Airflow 2.0.0 - Improper Access Control in Configurations Endpoint
Title source: llmDescription
Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0.
References (3)
Core 3
Core References
Mailing List, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/02/17/1
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rd142565996d7ee847b9c14b8a9921dcf80bc6bc160e3d9dca6dfc2f8%40%3Cannounce.apache.org%3E
Scores
CVSS v3
6.5
EPSS
0.0056
EPSS Percentile
68.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-284
Status
published
Products (2)
apache/airflow
2.0.0
pypi/apache-airflow
2.0.0 - 2.0.1rc1PyPI
Published
Feb 17, 2021
Tracked Since
Feb 18, 2026