Package impact
PyPI / apache-airflow
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2026-25917 | high | — | 8.0 | 1mo ago | Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly tr… | |
| CVE-2026-38743 | medium | — | 5.5 | 1mo ago | Apache Airflow's authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance record | |
| CVE-2026-40690 | medium | — | 5.5 | 1mo ago | Apache Airflow's asset dependency graph did not restrict nodes by the viewer's DAG read permissions |