CVE-2026-32794

MEDIUM

Apache Airflow Provider for Databricks: TLS Certificate Verification Disabled in Databricks Provider K8s Token Exchange

Title source: cna

Description

Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider code did not validate certificates for connections to Databricks back-end which could result in a man-of-a-middle attack that traffic is intercepted and manipulated or credentials exfiltrated w/o notice. This issue affects Apache Airflow Provider for Databricks: from 1.10.0 before 1.12.0. Users are recommended to upgrade to version 1.12.0, which fixes the issue.

Exploits (1)

nomisec WRITEUP
by SnailSploit · poc
https://github.com/SnailSploit/CVE-2026-32794

References (3)

Scores

CVSS v3 4.8
EPSS 0.0003
EPSS Percentile 7.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

CWE
CWE-295
Status published
Products (3)
apache/airflow_providers_databricks 1.10.0 - 1.12.0
Apache Software Foundation/Apache Airflow Provider for Databricks 1.10.0 - 1.12.0
pypi/apache-airflow 1.10.0 - 1.12.0PyPI
Published Mar 30, 2026
Tracked Since Mar 31, 2026