apache-airflow-core 3.2.2rc1

Direct Vulnerabilities

Known vulnerabilities in the apache-airflow-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Missing Authorization Affected versions of this package are vulnerable to Missing Authorization. The `partitioned_dag_runs` endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global `Asset:read` permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to read. Note: This is only exploitable in deployments that rely on per-Dag read scoping while granting users broader Asset access. How to fix Missing Authorization? Upgrade `apache-airflow-core` to version 3.2.2 or higher.	[,3.2.2)
H Authorization Bypass Through User-Controlled Key Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances`) that evaluates authorization against the `dag_id` resolved from the URL path while operating on the `dag_id` / `dag_run_id` extracted from request-body entity fields. An authenticated UI/API user with edit permission on one Dag could mutate Task Instance state in any other Dag by keeping the authorized Dag's ID in the URL path and naming the target Dag's IDs in the request body entities. Note: This is only exploitable in deployments that rely on per-Dag edit-scope to keep Task Instance state isolated between teams. How to fix Authorization Bypass Through User-Controlled Key? Upgrade `apache-airflow-core` to version 3.2.2 or higher.	[,3.2.2)
H Symlink Attack Affected versions of this package are vulnerable to Symlink Attack where a Dag author could either: (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack — e.g. `/etc/passwd` or `airflow.cfg`) or (b) supply a `task_id` containing `..` sequences accepted by the Task SDK's `KEY_REGEX` (write-path attack), and in both cases the `FileTaskHandler` resolves the log path outside the configured `base_log_folder`, leaking or overwriting arbitrary files. Note: This is only exploitable in deployments where the worker log folder is shared with the API server. How to fix Symlink Attack? Upgrade `apache-airflow-core` to version 3.2.2 or higher.	[,3.2.2)
M Deserialization of Untrusted Data Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the XCom PATCH endpoint `PATCH /api/v2/xcomEntries/{key}` that allows an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names (e.g. `return_value`) that the matching POST endpoint already validated against `FORBIDDEN_XCOM_KEYS`. The endpoint also accepts serialized payload shapes that the triggerer's deserializer treats as code; combined, this allowed RCE on the triggerer when the affected task next deferred. Note: This is only exploitable in deployments where untrusted users have XCom write permission on Dags that defer to the triggerer. How to fix Deserialization of Untrusted Data? Upgrade `apache-airflow-core` to version 3.2.2 or higher.	[,3.2.2)
M Deserialization of Untrusted Data Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`). A DAG author whose code reaches the scheduler — the default on single-host deployments where the DAG bundle is importable from the scheduler process — can embed a custom `DeadlineReference` whose serialized form names an attacker-controlled module path, causing the scheduler to `import_string(...)` and instantiate that class with a live SQLAlchemy session attached. Note: This is only exploitable in deployments where DAG-author code is less trusted than the scheduler process. How to fix Deserialization of Untrusted Data? Upgrade `apache-airflow-core` to version 3.2.2 or higher.	[,3.2.2)
M Insufficient Session Expiration Affected versions of this package are vulnerable to Insufficient Session Expiration in the auth manager logout handling where previously-issued JWT tokens are left valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying `revoke_token()` call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user. Note: This is only exploitable for deployments configured with `FabAuthManager` or `KeycloakAuthManager` (the bug does not affect `SimpleAuthManager`). How to fix Insufficient Session Expiration? Upgrade `apache-airflow-core` to version 3.2.2 or higher.	[,3.2.2)

Vulnerability

Vulnerable Version

Missing Authorization

Affected versions of this package are vulnerable to Missing Authorization. The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to read.

Note:

This is only exploitable in deployments that rely on per-Dag read scoping while granting users broader Asset access.

How to fix Missing Authorization?

Upgrade apache-airflow-core to version 3.2.2 or higher.

[,3.2.2)

Authorization Bypass Through User-Controlled Key

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the bulk Task Instances API (PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances) that evaluates authorization against the dag_id resolved from the URL path while operating on the dag_id / dag_run_id extracted from request-body entity fields. An authenticated UI/API user with edit permission on one Dag could mutate Task Instance state in any other Dag by keeping the authorized Dag's ID in the URL path and naming the target Dag's IDs in the request body entities.

Note:

This is only exploitable in deployments that rely on per-Dag edit-scope to keep Task Instance state isolated between teams.

How to fix Authorization Bypass Through User-Controlled Key?

Upgrade apache-airflow-core to version 3.2.2 or higher.

[,3.2.2)

Symlink Attack

Affected versions of this package are vulnerable to Symlink Attack where a Dag author could either:

(a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack — e.g. /etc/passwd or airflow.cfg) or

(b) supply a task_id containing .. sequences accepted by the Task SDK's KEY_REGEX (write-path attack), and in both cases the FileTaskHandler resolves the log path outside the configured base_log_folder, leaking or overwriting arbitrary files.

Note:

This is only exploitable in deployments where the worker log folder is shared with the API server.

How to fix Symlink Attack?

Upgrade apache-airflow-core to version 3.2.2 or higher.

[,3.2.2)

Deserialization of Untrusted Data

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the XCom PATCH endpoint PATCH /api/v2/xcomEntries/{key} that allows an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names (e.g. return_value) that the matching POST endpoint already validated against FORBIDDEN_XCOM_KEYS. The endpoint also accepts serialized payload shapes that the triggerer's deserializer treats as code; combined, this allowed RCE on the triggerer when the affected task next deferred.

Note:

This is only exploitable in deployments where untrusted users have XCom write permission on Dags that defer to the triggerer.

How to fix Deserialization of Untrusted Data?

Upgrade apache-airflow-core to version 3.2.2 or higher.

[,3.2.2)

Deserialization of Untrusted Data

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the scheduler-side deadline-reference decoder (SerializedCustomReference.deserialize_reference). A DAG author whose code reaches the scheduler — the default on single-host deployments where the DAG bundle is importable from the scheduler process — can embed a custom DeadlineReference whose serialized form names an attacker-controlled module path, causing the scheduler to import_string(...) and instantiate that class with a live SQLAlchemy session attached.

Note:

This is only exploitable in deployments where DAG-author code is less trusted than the scheduler process.

How to fix Deserialization of Untrusted Data?

Upgrade apache-airflow-core to version 3.2.2 or higher.

[,3.2.2)

Insufficient Session Expiration

Affected versions of this package are vulnerable to Insufficient Session Expiration in the auth manager logout handling where previously-issued JWT tokens are left valid after the user clicked logout in the UI: the logout flow for FabAuthManager and KeycloakAuthManager did not actually reach the underlying revoke_token() call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user.

Note:

This is only exploitable for deployments configured with FabAuthManager or KeycloakAuthManager (the bug does not affect SimpleAuthManager).

How to fix Insufficient Session Expiration?

Upgrade apache-airflow-core to version 3.2.2 or higher.

[,3.2.2)

apache-airflow-core@3.2.2rc1

Core packages for Apache Airflow, schedule and API server

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically