CVE-2021-26697
MEDIUMApache Airflow 2.0.0 - Unauthenticated Improper Privilege Management via Experimental API Lineage Endpoint
Title source: llmDescription
The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue affects Apache Airflow 2.0.0.
References (4)
Core 4
Core References
Mailing List, Third Party Advisory x_refsource_misc
https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cusers.airflow.apache.org%3E
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/02/17/2
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cdev.airflow.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r36111262a59219a3e2704c71e97cf84937dae5ba7a1da99499e5d8f9%40%3Cannounce.apache.org%3E
Scores
CVSS v3
5.3
EPSS
0.0246
EPSS Percentile
85.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-269
CWE-306
Status
published
Products (2)
apache/airflow
2.0.0
pypi/apache-airflow
2.0.0 - 2.0.1rc1PyPI
Published
Feb 17, 2021
Tracked Since
Feb 18, 2026