Apache Airflow Multiple Vulnerabilities Allow Remote Code Execution
Summary
CERT-Bund issued advisory WID-SEC-2026-1168 regarding multiple vulnerabilities in Apache Airflow and the Apache Airflow Keycloak Provider. Affected versions are Apache Airflow below 3.2.0 and Apache Airflow Keycloak Provider below 0.7.0. The vulnerabilities carry a CVSS Base Score of 8.8 (high) and a CVSS Temporal Score of 7.7 (high). A remote, authenticated attacker can exploit these vulnerabilities to execute arbitrary code, bypass security measures, manipulate data, and disclose confidential information.
“Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Apache Airflow und dem Airflow Keycloak Provider ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsmaßnahmen zu umgehen, Daten zu manipulieren und vertrauliche Informationen offenzulegen.”
Organizations running Apache Airflow should immediately identify whether their deployments are below version 3.2.0 and whether the Keycloak Provider is below version 0.7.0. Given the documented remote code execution capability and high CVSS score, priority patching or network isolation of affected instances is warranted. The authentication requirement for exploitation reduces but does not eliminate risk — any workflow platform accessible to untrusted users or exposed to the internet should be treated as a priority update.
What changed
CERT-Bund published a security advisory identifying multiple high-severity vulnerabilities in Apache Airflow and the Apache Airflow Keycloak Provider. The affected versions (Apache Airflow <3.2.0 and Apache Airflow Keycloak Provider <0.7.0) allow authenticated remote attackers to execute arbitrary code, bypass security controls, manipulate data, and disclose confidential information. Mitigation measures are available. Organizations running affected versions of Apache Airflow should apply available patches or implement compensating controls to reduce exposure to remote exploitation.
Archived snapshot
Apr 20, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
[WID-SEC-2026-1168] Apache Airflow und Apache Airflow Keycloak Provider: Mehrere Schwachstellen CVSS Base Score 8.8 (hoch) CVSS Temporal Score 7.7 (hoch) Remoteangriff ja Datum 19.04.2026 Stand 20.04.2026 Mitigation ja
Betroffene Systeme
Betriebssystem
- Sonstiges
- UNIX
Produktbeschreibung
Apache Airflow ist eine Plattform zur programmatischen Erstellung, Planung und Überwachung von Workflows.
Produkte
19.04.2026
- Apache Airflow <3.2.0
- Apache Airflow Keycloak Provider <0.7.0
Angriff
Angriff
Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Apache Airflow und dem Airflow Keycloak Provider ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsmaßnahmen zu umgehen, Daten zu manipulieren und vertrauliche Informationen offenzulegen. CVE Informationen Versionshistorie Feedback zum Advisory geben
Related changes
Get daily alerts for CERT-Bund Security Advisories
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
Source
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from CERT-Bund.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when CERT-Bund Security Advisories publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.