Apache: >> Airflow >> 3.0.3 Security Vulnerabilities
An example dag `example_dag_decorator` had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production (not default) or the example dag code copied to build your own similar dag. If you used the `example_dag_decorator` please review it and apply the changes implemented in Airflow 3.0.5 accordingly.
CVSS Score
4.6
EPSS Score
0.001
Published
2025-10-30
API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available.
CVSS Score
5.4
EPSS Score
0.002
Published
2025-10-30
User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.
CVSS Score
4.6
EPSS Score
0.001
Published
2025-10-30
Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a "write-only" model for sensitive values.
In Airflow 3.0.3, this model was unintentionally violated: sensitive connection information could be viewed by users with READ permissions through both the API and the UI. This behavior also bypassed the `AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS` configuration option.
This issue does not affect Airflow 2.x, where exposing sensitive information to connection editors was the intended and documented behavior.
Users of Airflow 3.0.3 are advised to upgrade Airflow to >=3.0.4.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-09-26