Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 21 Dec 2023 07:05:04 +0000
From: Ephraim Anierobi <>
Subject: CVE-2023-49920: Apache Airflow: Missing CSRF protection on

Severity: moderate

Affected versions:

- Apache Airflow 2.7.0 before 2.8.0


Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent.
Users are advised to upgrade to version 2.8.0 or later which is not affected


Tareq Ahamed ( 0xt4req) (finder)
Jens Scheffler (remediation developer)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.