PYSEC-2026-181

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2026-181.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-181
Aliases
Published
2026-06-01T09:16:17.893Z
Modified
2026-06-05T07:56:04.723447968Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack — e.g. /etc/passwd or airflow.cfg) or (b) supply a task_id containing .. sequences accepted by the Task SDK's KEY_REGEX (write-path attack), and in both cases the FileTaskHandler resolves the log path outside the configured base_log_folder, leaking or overwriting arbitrary files. Only affects deployments where the worker log folder is shared with the API server. Users are advised to upgrade to apache-airflow 3.2.2 or later. As a defense-in-depth mitigation, deploy the worker and API server with separate log volumes so that worker-controlled paths cannot reach the API server's filesystem.

References

Affected packages

PyPI / apache-airflow

Package

Name
apache-airflow
View open source insights on deps.dev
Purl
pkg:pypi/apache-airflow

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.2.2

Affected versions

1.*
1.8.1
1.8.2rc1
1.8.2
1.9.0
1.10.0
1.10.1b1
1.10.1rc2
1.10.1
1.10.2b2
1.10.2rc1
1.10.2rc2
1.10.2rc3
1.10.2
1.10.3b1
1.10.3b2
1.10.3rc1
1.10.3rc2
1.10.3
1.10.4b2
1.10.4rc1
1.10.4rc2
1.10.4rc3
1.10.4rc4
1.10.4rc5
1.10.4
1.10.5rc1
1.10.5
1.10.6rc1
1.10.6rc2
1.10.6
1.10.7rc1
1.10.7rc2
1.10.7rc3
1.10.7
1.10.8rc1
1.10.8
1.10.9rc1
1.10.9
1.10.10rc1
1.10.10rc2
1.10.10rc3
1.10.10rc4
1.10.10rc5
1.10.10
1.10.11rc1
1.10.11rc2
1.10.11
1.10.12rc1
1.10.12rc2
1.10.12rc3
1.10.12rc4
1.10.12
1.10.13rc1
1.10.13
1.10.14rc1
1.10.14rc2
1.10.14rc3
1.10.14rc4
1.10.14
1.10.15rc1
1.10.15
2.*
2.0.0b1
2.0.0b2
2.0.0b3
2.0.0rc1
2.0.0rc2
2.0.0rc3
2.0.0
2.0.1rc1
2.0.1rc2
2.0.1
2.0.2rc1
2.0.2
2.1.0rc1
2.1.0rc2
2.1.0
2.1.1rc1
2.1.1
2.1.2rc1
2.1.2
2.1.3rc1
2.1.3
2.1.4rc1
2.1.4rc2
2.1.4
2.2.0b1
2.2.0b2
2.2.0rc1
2.2.0
2.2.1rc1
2.2.1rc2
2.2.1
2.2.2rc1
2.2.2rc2
2.2.2
2.2.3rc1
2.2.3rc2
2.2.3
2.2.4rc1
2.2.4
2.2.5rc1
2.2.5rc2
2.2.5rc3
2.2.5
2.3.0b1
2.3.0rc1
2.3.0rc2
2.3.0
2.3.1rc1
2.3.1
2.3.2rc1
2.3.2rc2
2.3.2
2.3.3rc1
2.3.3rc2
2.3.3rc3
2.3.3
2.3.4rc1
2.3.4
2.4.0b1
2.4.0rc1
2.4.0
2.4.1rc1
2.4.1
2.4.2rc1
2.4.2
2.4.3rc1
2.4.3
2.5.0rc1
2.5.0rc2
2.5.0rc3
2.5.0
2.5.1rc1
2.5.1rc2
2.5.1
2.5.2rc1
2.5.2rc2
2.5.2
2.5.3rc1
2.5.3rc2
2.5.3
2.6.0b1
2.6.0rc1
2.6.0rc2
2.6.0rc3
2.6.0rc4
2.6.0rc5
2.6.0
2.6.1rc1
2.6.1rc2
2.6.1rc3
2.6.1
2.6.2rc1
2.6.2rc2
2.6.2
2.6.3rc1
2.6.3
2.7.0b1
2.7.0rc1
2.7.0rc2
2.7.0
2.7.1rc1
2.7.1rc2
2.7.1
2.7.2rc1
2.7.2
2.7.3rc1
2.7.3
2.8.0b1
2.8.0rc1
2.8.0rc2
2.8.0rc3
2.8.0rc4
2.8.0
2.8.1rc1
2.8.1
2.8.2rc1
2.8.2rc2
2.8.2rc3
2.8.2
2.8.3rc1
2.8.3
2.8.4rc1
2.8.4
2.9.0b1
2.9.0b2
2.9.0rc1
2.9.0rc2
2.9.0rc3
2.9.0
2.9.1rc1
2.9.1rc2
2.9.1
2.9.2rc1
2.9.2
2.9.3rc1
2.9.3
2.10.0b1
2.10.0b2
2.10.0rc1
2.10.0
2.10.1rc1
2.10.1
2.10.2rc1
2.10.2
2.10.3rc1
2.10.3rc2
2.10.3
2.10.4rc1
2.10.4
2.10.5rc1
2.10.5
2.11.0rc1
2.11.0
2.11.1rc1
2.11.1rc2
2.11.1
2.11.2rc1
2.11.2
3.*
3.0.0b4
3.0.0rc1
3.0.0rc1.post1
3.0.0rc1.post2
3.0.0rc1.post3
3.0.0rc1.post4
3.0.0rc2
3.0.0rc3
3.0.0rc4
3.0.0
3.0.1rc1
3.0.1
3.0.2rc1
3.0.2rc2
3.0.2
3.0.3rc1
3.0.3rc2
3.0.3rc3
3.0.3rc4
3.0.3rc5
3.0.3rc6
3.0.3
3.0.4rc1
3.0.4rc2
3.0.4
3.0.5rc1
3.0.5rc2
3.0.5rc3
3.0.5
3.0.6rc1
3.0.6rc2
3.0.6
3.1.0b1
3.1.0b2
3.1.0rc1
3.1.0rc2
3.1.0
3.1.1rc1
3.1.1rc2
3.1.1
3.1.2rc1
3.1.2rc2
3.1.2
3.1.3rc1
3.1.3
3.1.4rc1
3.1.4rc2
3.1.4
3.1.5rc1
3.1.5
3.1.6rc1
3.1.6
3.1.7rc1
3.1.7rc2
3.1.7
3.1.8rc1
3.1.8rc2
3.1.8
3.2.0b1
3.2.0b2
3.2.0rc1
3.2.0rc2
3.2.0
3.2.1rc1
3.2.1rc2
3.2.1rc3
3.2.1
3.2.2rc1
3.2.2rc2
3.2.2rc3

Database specific

source 
"https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2026-181.yaml"