Description
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI. Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability.
References (3)
Core 3
Core References
Vendor Advisory patch
https://github.com/apache/airflow/pull/33512
Vendor Advisory patch
https://github.com/apache/airflow/pull/33516
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/jw1yv4lt6hpowqbb0x4o3tdp0jhx2bts
Scores
CVSS v3
6.5
EPSS
0.0014
EPSS Percentile
33.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
apache/airflow
< 2.7.1
pypi/apache-airflow
0 - 2.7.1PyPI
Published
Sep 12, 2023
Tracked Since
Feb 18, 2026