CVE-2023-39508

HIGH

Apache Airflow < 2.6.0 - Information Disclosure

Title source: rule

Description

Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables authenticated user to bypass some of the restrictions put in place. It allows to execute code in the webserver context as well as allows to bypas limitation of access the user has to certain DAGs. The "Run Task" feature is considered dangerous and it has been removed entirely in Airflow 2.6.0 This issue affects Apache Airflow: before 2.6.0.

References (3)

[Not Applicable] http://seclists.org/fulldisclosure/2023/Jul/43

[Patch, Vendor Advisory] https://github.com/apache/airflow/pull/29706

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/j2nkjd0zqvtqk85s6ywpx3c35pvzyx15

Scores

CVSS v3 8.8

EPSS 0.0048

EPSS Percentile 65.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-200 CWE-250

Status published

Products (2)

apache/airflow < 2.6.0

pypi/apache-airflow 0 - 2.6.0b1PyPI

Published Aug 05, 2023

Tracked Since Feb 18, 2026