Description
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.1 or later which has removed the vulnerability.
References (3)
Core 3
Core References
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/11/12/1
Patch, Vendor Advisory patch
https://github.com/apache/airflow/pull/33413
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0
Scores
CVSS v3
4.3
EPSS
0.0012
EPSS Percentile
31.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (2)
apache/airflow
< 2.7.3
pypi/apache-airflow
0 - 2.7.1PyPI
Published
Sep 12, 2023
Tracked Since
Feb 18, 2026