Search
Find a vulnerability
Search criteria
6 vulnerabilities found for apache-airflow-providers-amazon by apache
CVE-2026-42526 (GCVE-0-2026-42526)
Vulnerability from nvd – Published: 2026-05-19 19:17 – Updated: 2026-05-19 19:53
VLAI
Title
Apache Airflow Amazon provider: Prevent unauthorized access to team-scoped secrets in AWS Secrets Manager and SSM Parameter Store backends
Summary
In the AWS Secrets Manager and SSM Parameter Store secrets backends of `apache-airflow-providers-amazon` prior to 9.28.0, the team-scoping logic could resolve a `conn_id` containing a `/` (e.g. `"my_team/conn"`) to the same path as another team's team-scoped secret when the caller had no team context. A privileged caller without team context could therefore retrieve another team's secret by crafting a colliding `conn_id`. Fixed in 9.28.0 by switching the team-scope separator to `--` and rejecting team-shaped `conn_id`s when team context is absent. Affects the experimental multi-tenant teams feature only. Users are recommended to upgrade to `apache-airflow-providers-amazon` 9.28.0, which fixes the issue.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow Amazon provider |
Affected:
0 , < 9.28.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-19T19:34:02.809Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/19/36"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42526",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T19:53:21.498429Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T19:53:24.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "apache-airflow-providers-amazon",
"product": "Apache Airflow Amazon provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "9.28.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Justin Pakzad"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In the AWS Secrets Manager and SSM Parameter Store secrets backends of `apache-airflow-providers-amazon` prior to 9.28.0, the team-scoping logic could resolve a `conn_id` containing a `/` (e.g. `\u0026quot;my_team/conn\u0026quot;`) to the same path as another team\u0026#x27;s team-scoped secret when the caller had no team context. A privileged caller without team context could therefore retrieve another team\u0026#x27;s secret by crafting a colliding `conn_id`. Fixed in 9.28.0 by switching the team-scope separator to `--` and rejecting team-shaped `conn_id`s when team context is absent. Affects the experimental multi-tenant teams feature only. Users are recommended to upgrade to `apache-airflow-providers-amazon` 9.28.0, which fixes the issue."
}
],
"value": "In the AWS Secrets Manager and SSM Parameter Store secrets backends of `apache-airflow-providers-amazon` prior to 9.28.0, the team-scoping logic could resolve a `conn_id` containing a `/` (e.g. `\"my_team/conn\"`) to the same path as another team\u0027s team-scoped secret when the caller had no team context. A privileged caller without team context could therefore retrieve another team\u0027s secret by crafting a colliding `conn_id`. Fixed in 9.28.0 by switching the team-scope separator to `--` and rejecting team-shaped `conn_id`s when team context is absent. Affects the experimental multi-tenant teams feature only. Users are recommended to upgrade to `apache-airflow-providers-amazon` 9.28.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T19:17:51.565Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/airflow/pull/65703"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/0092sz5g520d3qqjb01wd61myqlgjtyn"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Airflow Amazon provider: Prevent unauthorized access to team-scoped secrets in AWS Secrets Manager and SSM Parameter Store backends",
"x_generator": {
"engine": "airflow-s/generate_cve_json.py"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-42526",
"datePublished": "2026-05-19T19:17:51.565Z",
"dateReserved": "2026-04-28T10:28:10.377Z",
"dateUpdated": "2026-05-19T19:53:24.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25604 (GCVE-0-2026-25604)
Vulnerability from nvd – Published: 2026-03-09 10:39 – Updated: 2026-03-09 16:48
VLAI
Title
Apache Airflow AWS Auth Manager - Host Header Injection Leading to SAML Authentication Bypass
Summary
In AWS Auth manager, the origin of the SAML authentication has been used as provided by the client and not verified against the actual instance URL.
This allowed to gain access to different instances with potentially different access controls by reusing SAML response from other instances.
You should upgrade to 9.22.0 version of provider if you use AWS Auth Manager.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-346 - Origin Validation Error
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow Providers Amazon |
Affected:
8.0.0 , < 9.22.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-09T12:09:58.818Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/09/6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-25604",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T16:47:57.674471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T16:48:12.786Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "apache-airflow-providers-amazon",
"product": "Apache Airflow Providers Amazon",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "9.22.0",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sungwuk Jung"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn AWS Auth manager, the origin of the SAML authentication has been used as provided by the client and not verified against the actual instance URL.\u0026nbsp;\u003cbr\u003eThis allowed to gain access to different instances with potentially different access controls by reusing SAML response from other instances.\u003c/p\u003eYou should upgrade to 9.22.0 version of provider if you use AWS Auth Manager.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "In AWS Auth manager, the origin of the SAML authentication has been used as provided by the client and not verified against the actual instance URL.\u00a0\nThis allowed to gain access to different instances with potentially different access controls by reusing SAML response from other instances.\n\nYou should upgrade to 9.22.0 version of provider if you use AWS Auth Manager."
}
],
"metrics": [
{
"other": {
"content": {
"text": "medium"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T10:39:05.883Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/airflow/pull/61368"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/spwwrsmwxod7fpttcd7n7zs46j839l77"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Airflow AWS Auth Manager - Host Header Injection Leading to SAML Authentication Bypass",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-25604",
"datePublished": "2026-03-09T10:39:05.883Z",
"dateReserved": "2026-02-03T09:59:31.342Z",
"dateUpdated": "2026-03-09T16:48:12.786Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-25956 (GCVE-0-2023-25956)
Vulnerability from nvd – Published: 2023-02-24 11:48 – Updated: 2024-10-23 16:44
VLAI
Title
Apache Airflow AWS Provider: Arbitrary file read via AWS provider
Summary
Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider.
This issue affects Apache Airflow AWS Provider versions before 7.2.1.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/apache/airflow/pull/29587 | patch |
| https://lists.apache.org/thread/07pl9y4gdpw2c6rzq… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow AWS Provider |
Affected:
0 , < 7.2.1
(semver)
|
|
| apache | apache-airflow-providers-amazon |
Affected:
0 , < 7.2.1
(custom)
cpe:2.3:a:apache:apache-airflow-providers-amazon:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:39:06.134Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/airflow/pull/29587"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/07pl9y4gdpw2c6rzqm77dvkm2z2kb5gv"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:apache-airflow-providers-amazon:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache-airflow-providers-amazon",
"vendor": "apache",
"versions": [
{
"lessThan": "7.2.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-25956",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T16:43:26.908971Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T16:44:57.125Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Airflow AWS Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "7.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Using the \"AWS\" Provider for Apache Airflow\u003cbr\u003e"
}
],
"value": "Using the \"AWS\" Provider for Apache Airflow\n"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Son Tran from VNPT - VCI"
},
{
"lang": "en",
"type": "finder",
"value": "kuteminh11"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider.\u003cbr\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Apache Airflow AWS Provider versions before 7.2.1.\u003c/p\u003e"
}
],
"value": "Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider.\n\nThis issue affects Apache Airflow AWS Provider versions before 7.2.1.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-07T08:23:44.307Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/airflow/pull/29587"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/07pl9y4gdpw2c6rzqm77dvkm2z2kb5gv"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Airflow AWS Provider: Arbitrary file read via AWS provider",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-25956",
"datePublished": "2023-02-24T11:48:33.110Z",
"dateReserved": "2023-02-17T10:12:03.880Z",
"dateUpdated": "2024-10-23T16:44:57.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-42526 (GCVE-0-2026-42526)
Vulnerability from cvelistv5 – Published: 2026-05-19 19:17 – Updated: 2026-05-19 19:53
VLAI
Title
Apache Airflow Amazon provider: Prevent unauthorized access to team-scoped secrets in AWS Secrets Manager and SSM Parameter Store backends
Summary
In the AWS Secrets Manager and SSM Parameter Store secrets backends of `apache-airflow-providers-amazon` prior to 9.28.0, the team-scoping logic could resolve a `conn_id` containing a `/` (e.g. `"my_team/conn"`) to the same path as another team's team-scoped secret when the caller had no team context. A privileged caller without team context could therefore retrieve another team's secret by crafting a colliding `conn_id`. Fixed in 9.28.0 by switching the team-scope separator to `--` and rejecting team-shaped `conn_id`s when team context is absent. Affects the experimental multi-tenant teams feature only. Users are recommended to upgrade to `apache-airflow-providers-amazon` 9.28.0, which fixes the issue.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow Amazon provider |
Affected:
0 , < 9.28.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-19T19:34:02.809Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/19/36"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42526",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T19:53:21.498429Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T19:53:24.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "apache-airflow-providers-amazon",
"product": "Apache Airflow Amazon provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "9.28.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Justin Pakzad"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In the AWS Secrets Manager and SSM Parameter Store secrets backends of `apache-airflow-providers-amazon` prior to 9.28.0, the team-scoping logic could resolve a `conn_id` containing a `/` (e.g. `\u0026quot;my_team/conn\u0026quot;`) to the same path as another team\u0026#x27;s team-scoped secret when the caller had no team context. A privileged caller without team context could therefore retrieve another team\u0026#x27;s secret by crafting a colliding `conn_id`. Fixed in 9.28.0 by switching the team-scope separator to `--` and rejecting team-shaped `conn_id`s when team context is absent. Affects the experimental multi-tenant teams feature only. Users are recommended to upgrade to `apache-airflow-providers-amazon` 9.28.0, which fixes the issue."
}
],
"value": "In the AWS Secrets Manager and SSM Parameter Store secrets backends of `apache-airflow-providers-amazon` prior to 9.28.0, the team-scoping logic could resolve a `conn_id` containing a `/` (e.g. `\"my_team/conn\"`) to the same path as another team\u0027s team-scoped secret when the caller had no team context. A privileged caller without team context could therefore retrieve another team\u0027s secret by crafting a colliding `conn_id`. Fixed in 9.28.0 by switching the team-scope separator to `--` and rejecting team-shaped `conn_id`s when team context is absent. Affects the experimental multi-tenant teams feature only. Users are recommended to upgrade to `apache-airflow-providers-amazon` 9.28.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T19:17:51.565Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/airflow/pull/65703"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/0092sz5g520d3qqjb01wd61myqlgjtyn"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Airflow Amazon provider: Prevent unauthorized access to team-scoped secrets in AWS Secrets Manager and SSM Parameter Store backends",
"x_generator": {
"engine": "airflow-s/generate_cve_json.py"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-42526",
"datePublished": "2026-05-19T19:17:51.565Z",
"dateReserved": "2026-04-28T10:28:10.377Z",
"dateUpdated": "2026-05-19T19:53:24.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25604 (GCVE-0-2026-25604)
Vulnerability from cvelistv5 – Published: 2026-03-09 10:39 – Updated: 2026-03-09 16:48
VLAI
Title
Apache Airflow AWS Auth Manager - Host Header Injection Leading to SAML Authentication Bypass
Summary
In AWS Auth manager, the origin of the SAML authentication has been used as provided by the client and not verified against the actual instance URL.
This allowed to gain access to different instances with potentially different access controls by reusing SAML response from other instances.
You should upgrade to 9.22.0 version of provider if you use AWS Auth Manager.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-346 - Origin Validation Error
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow Providers Amazon |
Affected:
8.0.0 , < 9.22.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-09T12:09:58.818Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/09/6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-25604",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T16:47:57.674471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T16:48:12.786Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "apache-airflow-providers-amazon",
"product": "Apache Airflow Providers Amazon",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "9.22.0",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sungwuk Jung"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn AWS Auth manager, the origin of the SAML authentication has been used as provided by the client and not verified against the actual instance URL.\u0026nbsp;\u003cbr\u003eThis allowed to gain access to different instances with potentially different access controls by reusing SAML response from other instances.\u003c/p\u003eYou should upgrade to 9.22.0 version of provider if you use AWS Auth Manager.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "In AWS Auth manager, the origin of the SAML authentication has been used as provided by the client and not verified against the actual instance URL.\u00a0\nThis allowed to gain access to different instances with potentially different access controls by reusing SAML response from other instances.\n\nYou should upgrade to 9.22.0 version of provider if you use AWS Auth Manager."
}
],
"metrics": [
{
"other": {
"content": {
"text": "medium"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T10:39:05.883Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/airflow/pull/61368"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/spwwrsmwxod7fpttcd7n7zs46j839l77"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Airflow AWS Auth Manager - Host Header Injection Leading to SAML Authentication Bypass",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-25604",
"datePublished": "2026-03-09T10:39:05.883Z",
"dateReserved": "2026-02-03T09:59:31.342Z",
"dateUpdated": "2026-03-09T16:48:12.786Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-25956 (GCVE-0-2023-25956)
Vulnerability from cvelistv5 – Published: 2023-02-24 11:48 – Updated: 2024-10-23 16:44
VLAI
Title
Apache Airflow AWS Provider: Arbitrary file read via AWS provider
Summary
Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider.
This issue affects Apache Airflow AWS Provider versions before 7.2.1.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/apache/airflow/pull/29587 | patch |
| https://lists.apache.org/thread/07pl9y4gdpw2c6rzq… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow AWS Provider |
Affected:
0 , < 7.2.1
(semver)
|
|
| apache | apache-airflow-providers-amazon |
Affected:
0 , < 7.2.1
(custom)
cpe:2.3:a:apache:apache-airflow-providers-amazon:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:39:06.134Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/airflow/pull/29587"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/07pl9y4gdpw2c6rzqm77dvkm2z2kb5gv"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:apache-airflow-providers-amazon:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache-airflow-providers-amazon",
"vendor": "apache",
"versions": [
{
"lessThan": "7.2.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-25956",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T16:43:26.908971Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T16:44:57.125Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Airflow AWS Provider",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "7.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Using the \"AWS\" Provider for Apache Airflow\u003cbr\u003e"
}
],
"value": "Using the \"AWS\" Provider for Apache Airflow\n"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Son Tran from VNPT - VCI"
},
{
"lang": "en",
"type": "finder",
"value": "kuteminh11"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider.\u003cbr\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Apache Airflow AWS Provider versions before 7.2.1.\u003c/p\u003e"
}
],
"value": "Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider.\n\nThis issue affects Apache Airflow AWS Provider versions before 7.2.1.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-07T08:23:44.307Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/airflow/pull/29587"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/07pl9y4gdpw2c6rzqm77dvkm2z2kb5gv"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Airflow AWS Provider: Arbitrary file read via AWS provider",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-25956",
"datePublished": "2023-02-24T11:48:33.110Z",
"dateReserved": "2023-02-17T10:12:03.880Z",
"dateUpdated": "2024-10-23T16:44:57.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}