CVE-2021-38540

CRITICAL NUCLEI

Airflow >=2.0.0-<2.1.3 - RCE/Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-38540. PoCs published by Captain-v-hook. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC demonstrates an authentication bypass vulnerability in Apache Airflow (CVE-2021-38540) by sending a crafted HTTP POST request to the unauthenticated `/variable/varimport` endpoint, allowing the creation/modification of Airflow variables. The exploit leverages a missing authentication check to potentially achieve remote code execution or denial of service.

Description

The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3.

Exploits (1)

nomisec WORKING POC 4 stars

by Captain-v-hook · poc

https://github.com/Captain-v-hook/PoC-for-CVE-2021-38540-

View Code ZIP pw:eip

This PoC demonstrates an authentication bypass vulnerability in Apache Airflow (CVE-2021-38540) by sending a crafted HTTP POST request to the unauthenticated `/variable/varimport` endpoint, allowing the creation/modification of Airflow variables. The exploit leverages a missing authentication check to potentially achieve remote code execution or denial of service.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Apache Airflow >=2.0.0, <2.1.3

No auth needed

Prerequisites: Network access to the Airflow web interface · Target running vulnerable Apache Airflow version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Apache Airflow - Unauthenticated Variable Import

CRITICALVERIFIEDby pdteam

Shodan:

title:"Sign In - Airflow" || http.title:"airflow - dags" || http.html:"apache airflow" || http.title:"sign in - airflow" || product:"redis"

FOFA: title="sign in - airflow" || apache airflow || title="airflow - dags" || http.html:"apache airflow"

References (2)

Core 2

Core References

Mailing List, Vendor Advisory x_refsource_misc

https://lists.apache.org/thread.html/rb34c3dd1a815456355217eef34060789f771b6f77c3a3dec77de2064%40%3Cusers.airflow.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rac2ed9118f64733e47b4f1e82ddc8c8020774698f13328ca742b03a2%40%3Cannounce.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.9178

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-269 CWE-306

Status published

Products (2)

apache/airflow 2.0.0 - 2.1.3

pypi/apache-airflow 2.0.0 - 2.1.3PyPI

Published Sep 09, 2021

Tracked Since Feb 18, 2026