CVE-2021-38540

CRITICAL NUCLEI

Airflow >=2.0.0-<2.1.3 - RCE/Info Disclosure

Title source: llm

Description

The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3.

Exploits (1)

nomisec WORKING POC 4 stars

by Captain-v-hook · poc

https://github.com/Captain-v-hook/PoC-for-CVE-2021-38540-

View Code ZIP pw:eip

Nuclei Templates (1)

Apache Airflow - Unauthenticated Variable Import

CRITICALVERIFIEDby pdteam

Shodan:

title:"Sign In - Airflow" || http.title:"airflow - dags" || http.html:"apache airflow" || http.title:"sign in - airflow" || product:"redis"

FOFA: title="sign in - airflow" || apache airflow || title="airflow - dags" || http.html:"apache airflow"

References (2)

[Mailing List] https://lists.apache.org/thread.html/rac2ed9118f64733e47b4f1e82ddc8c8020774698f13328ca742b03a2%40%3Cannounce.apache.org%3E

[Mailing List, Vendor Advisory] https://lists.apache.org/thread.html/rb34c3dd1a815456355217eef34060789f771b6f77c3a3dec77de2064%40%3Cusers.airflow.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.9178

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-269 CWE-306

Status published

Products (2)

apache/airflow 2.0.0 - 2.1.3

pypi/apache-airflow 2.0.0 - 2.1.3PyPI

Published Sep 09, 2021

Tracked Since Feb 18, 2026