Description
Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.
References (3)
Core 3
Core References
Issue Tracking patch
https://github.com/apache/airflow/pull/41672
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx
Scores
CVSS v3
8.8
EPSS
0.0169
EPSS Percentile
74.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-250
Status
published
Products (2)
apache/airflow
< 2.10.1
pypi/apache-airflow
0 - 2.10.1PyPI
Published
Sep 07, 2024
Tracked Since
Feb 18, 2026