CVE-2024-27906

MEDIUM

Apache Airflow <2.8.2 - Info Disclosure

Title source: llm

Description

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability

References (4)

Core 4

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2024/02/29/1

Broken Link patch

https://github.com/apache/airflow/pull/37290

Issue Tracking patch

https://github.com/apache/airflow/pull/37468

Mailing List, Vendor Advisory vendor-advisory

https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5

Scores

CVSS v3 5.9

EPSS 0.0005

EPSS Percentile 16.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (2)

apache/airflow < 2.8.2

pypi/apache-airflow 0 - 2.8.2PyPI

Published Feb 29, 2024

Tracked Since Feb 18, 2026