PYSEC-2026-1139

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow-providers-apache-hive/PYSEC-2026-1139.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1139
Aliases
Published
2026-07-07T11:45:21.009176Z
Modified
2026-07-07T17:46:22.261769635Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Apache Airflow Apache Hive Provider Improper Input Validation vulnerability
Details

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider.

Patching on top of CVE-2023-35797 Before 6.1.2 the proxy_user option can also inject semicolon.

This issue affects Apache Airflow Apache Hive Provider: before 6.1.2.

It is recommended updating provider version to 6.1.2 in order to avoid this vulnerability.

References

Affected packages

PyPI / apache-airflow-providers-apache-hive

Package

Name
apache-airflow-providers-apache-hive
View open source insights on deps.dev
Purl
pkg:pypi/apache-airflow-providers-apache-hive

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.2

Affected versions

1.*
1.0.0b1
1.0.0b2
1.0.0rc1
1.0.0
1.0.1rc1
1.0.1
1.0.2rc1
1.0.2
1.0.3rc1
1.0.3
2.*
2.0.0rc1
2.0.0rc2
2.0.0
2.0.1rc1
2.0.1rc2
2.0.1
2.0.2rc1
2.0.2
2.0.3rc1
2.0.3
2.1.0rc1
2.1.0
2.2.0rc1
2.2.0rc2
2.2.0
2.3.0rc1
2.3.0
2.3.1rc1
2.3.1
2.3.2rc1
2.3.2
2.3.3rc1
2.3.3
3.*
3.0.0rc1
3.0.0rc2
3.0.0
3.1.0rc1
3.1.0
4.*
4.0.0rc1
4.0.0rc2
4.0.0rc3
4.0.0
4.0.1rc1
4.0.1
4.1.0rc1
4.1.0
4.1.1rc2
4.1.1rc3
4.1.1
5.*
5.0.0rc1
5.0.0
5.1.0rc1
5.1.0rc2
5.1.0
5.1.1rc1
5.1.1
5.1.2rc1
5.1.2
5.1.3rc1
5.1.3
6.*
6.0.0rc1
6.0.0
6.1.0rc1
6.1.0rc2
6.1.0
6.1.1rc1
6.1.1
6.1.2rc2

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow-providers-apache-hive/PYSEC-2026-1139.yaml"