Apache Airflow (Python) – Support, CVEs & Health

GHSA-2522-mrjc-m688 CVSS_V3

Apache Airflow: Sensitive configuration for providers displayed when "non-sensitive-only" config used

Published: 2024-04-18 Fixed in: 2.9.0

GHSA-269x-pg5c-5xgm CVSS_V3

Apache Airflow Execution with Unnecessary Privileges

Published: 2023-08-05 Fixed in: 2.6.0b1

GHSA-273c-4g26-4jpm CVSS_V3

Apache Airflow `/api/v2/dagReports` executes DAG Python in API

Published: 2025-10-30 Fixed in: 3.1.1

GHSA-2h84-3crq-vgfj CVSS_V3

Apache Airflow Incorrect Authorization vulnerability

Published: 2023-07-12 Fixed in: 2.6.3

GHSA-32wr-qqw6-5mfp CVSS_V3

Apache Airflow vulnerable to sensitive information exposure

Published: 2023-10-14 Fixed in: 2.7.2

GHSA-3h4m-m55v-gx4m CVSS_V3

Apache Airflow Improper Input Validation vulnerability

Published: 2023-07-12 Fixed in: 2.6.3

GHSA-3q8r-f3pj-3gc4 CVSS_V3

Apache Airflow may allow authenticated users who have been deactivated to continue using the UI or API

Published: 2022-10-07 Fixed in: 2.4.1rc1

GHSA-3qmm-r55x-hpxx CVSS_V3

Apache Airflow secrets in rendered templates could contain parts of sensitive values when truncated

Published: 2026-01-16 Fixed in: 3.1.6

GHSA-3v7g-4pg3-7r6j CVSS_V3

OS Command injection in Apache Airflow

Published: 2022-02-26 Fixed in: 2.2.4

GHSA-3xxv-p78r-4fc6 CVSS_V3

Cross-site Scripting in Apache Airflow

Published: 2021-06-18 Fixed in: 1.10.15

Apache Airflow