oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2024-56373: Apache Airflow: SSTI to Code Execution in Airflow through Shared DB Information

From: Jarek Potiuk <potiuk () apache org>
Date: Mon, 23 Feb 2026 23:28:28 +0000
Severity: medium 

Affected versions:

- Apache Airflow (apache-airflow) before 2.11.1

Description:

DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute 
arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote 
code execution in the context of web-server (server-side) as a result of a user viewing historical task information.

The functionality responsible for that (log template history) has been disabled by default in 2.11.1 and users should 
upgrade to Airflow 3 if they want to continue to use log template history. They can also manually modify historical log 
file names if they want to see historical logs that were generated before the last log template change.

Credit:

Seokchan Yoon. (finder)

References:

https://github.com/apache/airflow/pull/61880
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-56373
Previous By Date Next
Previous By Thread Next

Current thread: