CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2020-13927

CVSS 9.8v3.1pub. 2020-11-10upd. 2025-10-23

The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Airflow

    APP
    Apache
    < 1.10.11

CISA KEV — detailsi

Vendori
Apache
Producti
Airflow's Experimental API
Added to KEVi
January 18, 2022
Remediation deadline (US Federal)i
July 18, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

The previous default setting for Airflow's Experimental API was to allow all API requests without authentication.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 18 lipca 2022
CWE
References

Related vulnerabilities

CVE-2026-42252CRITICAL9.1PL ✓ten sam produkt

Apache Airflow: command injection przez niebezpieczny wzorzec w dokumentacji BashOperator

CVE-2025-57735CRITICAL9.1PL ✓ten sam produkt

Apache Airflow: brak unieważnienia tokenu JWT po wylogowaniu

CVE-2024-42447CRITICAL9.8PL ✓ten sam produkt

Apache Airflow Providers FAB — nieprawidłowe wygasanie sesji (CWE-613)

CVE-2023-25754CRITICAL9.8ten sam produkt

Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.This issue affect...

CVE-2023-22884CRITICAL9.8ten sam produkt

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache So...