Apache airflow

This hub aggregates every CVE we track for Apache airflow, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Apache airflow.

• CVE-2026-40861Apache Airflow: Arbitrary File Read via Log Symlink following in FileTaskHandler6.5Jun 1, 2026
• CVE-2026-40961Apache Airflow: Open Redirect Bypass Vulnerability7.2Jun 1, 2026
• CVE-2026-40963Apache Airflow: DAG authorization bypass on /ui/structure/structure_data3.1Jun 1, 2026
• CVE-2026-41014Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints4.3Jun 1, 2026
• CVE-2026-49267Apache Airflow: No certificate validation on SMTP STARTTLS connections5.9Jun 1, 2026
• CVE-2026-41017Apache Airflow: JWT cookie missing Secure flag in JWTRefreshMiddleware behind HTTPS-terminating proxy5.9Jun 1, 2026
• CVE-2026-41084Apache Airflow: API authorization bypass: bulk TaskInstances allows cross-DAG mutation7.5Jun 1, 2026
• CVE-2026-42252Apache Airflow: BashOperator Jinja2 injection via dag_run.conf — low-privilege user pattern9.1Jun 1, 2026
• CVE-2026-42360Apache Airflow: Rendered template truncation bypasses nested sensitive-key masking6.5Jun 1, 2026
• CVE-2026-42358Apache Airflow: Variable masker depth-limit bypass returns cleartext nested secrets6.5Jun 1, 2026
• CVE-2026-42359Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator8.8Jun 1, 2026
• CVE-2026-45360Apache Airflow: Arbitrary import in custom deadline-reference deserialization7.3Jun 1, 2026
• CVE-2026-45426Apache Airflow: Log server JWT authorization bypass via Python lstrip() character stripping allows cross-Dag log access3.1Jun 1, 2026
• CVE-2026-46764Apache Airflow: Event Log detail endpoint bypasses DAG-scoped event log permission filter4.3Jun 1, 2026
• CVE-2026-48726Apache Airflow: revoke_token() unreachable in FabAuthManager / KeycloakAuthManager logout path6.5Jun 1, 2026