Apache Airflow Flaws Enable Security Bypass and Multiple Additional Vulnerabilities
German authorities issued advisories for Apache Airflow covering a vulnerability that can bypass security measures and a separate notice for multiple vulnerabilities affecting the workflow orchestration platform. The alerts indicate that Airflow deployments may be exposed to weaknesses that undermine intended protections and introduce additional security risk across affected environments.
Organizations using Apache Airflow should review the referenced advisories, identify affected versions, and prioritize vendor-recommended updates or mitigations. Because Airflow is commonly used to manage automated data pipelines and scheduled jobs, successful exploitation could weaken access controls or expose connected systems and workflows to further compromise.
Timeline
Apr 27, 2026
dCERT publishes Apache Airflow multiple vulnerabilities advisory 2026-1254
dCERT published advisory 2026-1254 for Apache Airflow, disclosing multiple vulnerabilities that could allow information disclosure. This is a new advisory separate from the previously listed Apache Airflow disclosures.
Apr 20, 2026
dCERT publishes Apache Airflow and Keycloak Provider advisory 2026-1146
dCERT published advisory 2026-1146 covering multiple vulnerabilities affecting Apache Airflow and the Apache Airflow Keycloak Provider. This is a new advisory separate from the previously listed Apache Airflow disclosures.
Apr 17, 2026
dCERT publishes Apache Airflow information disclosure advisory 2026-1137
dCERT published advisory 2026-1137 for Apache Airflow, disclosing a vulnerability that could allow information disclosure. This is a new advisory separate from the previously listed Apache Airflow disclosures.
Apr 16, 2026
dCERT publishes Apache Airflow information disclosure advisory 2026-1126
dCERT published advisory 2026-1126 for Apache Airflow, disclosing a vulnerability that could allow information disclosure. This is a new advisory separate from earlier Apache Airflow vulnerability disclosures.
Apr 15, 2026
dCERT publishes Apache Airflow code execution advisory 2026-1101
dCERT published advisory 2026-1101 for Apache Airflow, disclosing a vulnerability that could allow code execution. This is a new advisory separate from the previously listed Apache Airflow disclosures.
Apr 14, 2026
dCERT publishes Apache Airflow multiple vulnerabilities advisory 2026-1052
dCERT published advisory 2026-1052 for Apache Airflow, disclosing multiple vulnerabilities affecting the platform. This represents a new advisory separate from earlier Apache Airflow disclosures.
Apr 10, 2026
dCERT publishes Apache Airflow multiple vulnerabilities advisory 2026-1021
dCERT published advisory 2026-1021 covering multiple vulnerabilities affecting Apache Airflow, indicating additional or broader security issues were disclosed.
Mar 31, 2026
dCERT publishes Apache Airflow security bypass advisory 2026-0896
dCERT published advisory 2026-0896 for Apache Airflow, stating that a vulnerability could allow bypassing security measures.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
3 more from sources like dcert
Related Stories
Apache Airflow 3.0.x Exposed JWTs Through Logout and Logging Flaws
Apache disclosed two JWT-related vulnerabilities in Apache Airflow affecting versions `3.0.0` before `3.2.0`. The first, `CVE-2025-57735`, is a low-severity flaw in which logout did not invalidate authentication JWTs, leaving intercepted tokens usable after a user signed out. The second, `CVE-2026-31987`, is a moderate-severity issue that caused task JWTs to appear in logs, potentially exposing credentials to users who could then act as DAG authors. Apache said both issues are fixed in Airflow `3.2.0`, which adds token invalidation on logout and removes the logging exposure. Organizations running affected releases have been advised to upgrade to `3.2.0` or later, particularly where shared log access or concerns about token reuse could increase the risk of unauthorized access and privilege escalation.
2 weeks ago
Apache Airflow fixes XCom-related code execution flaws in deserialization and example DAGs
Apache disclosed two low-severity code execution issues in **Apache Airflow** tied to its XCom mechanism and addressed them in **Airflow 3.2.0**. **CVE-2026-33858** affects Airflow versions `3.1.8` before `3.2.0` and stems from unsafe deserialization in the XCom API, where legacy serialization keys `__type` and `__var` can bypass protections and let a DAG author craft payloads that execute arbitrary code in the webserver context. Apache said the flaw was rated low severity because DAG authors are already treated as highly trusted users. Apache also disclosed **CVE-2025-54550**, a low-severity remote code execution issue involving the documented `example_xcom` DAG pattern. The vulnerable pattern read XCom values in a way that could allow a UI user with permission to modify XComs to trigger arbitrary code execution on a worker through a race condition. Apache said official releases were not directly affected because example DAGs are not meant to be enabled in production, but organizations that copied the documented approach could reproduce the weakness in their own deployments; updated documentation in **Airflow 3.2.0** provides a safer example.
2 weeks ago
Apache ActiveMQ and Artemis Flaws Enable Security Bypass and Multiple Attacks
German authorities issued advisories for **Apache ActiveMQ Artemis** and **Apache ActiveMQ Classic** components after disclosing vulnerabilities that affect the broker, client, and web interfaces. One advisory warns that a flaw in **Apache ActiveMQ Artemis** can allow attackers to **bypass security measures**, raising the risk of unauthorized access or actions within affected messaging environments. A separate advisory reports **multiple vulnerabilities** in **Apache ActiveMQ** across the **Client, Broker, and Web** components, indicating broader exposure for organizations using the messaging platform in enterprise integrations and application back ends. The notices identify the affected Apache messaging products as requiring prompt review and remediation to reduce the risk of compromise in systems that rely on ActiveMQ services.
1 weeks ago