PYSEC-2026-617

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/airflow/PYSEC-2026-617.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-617
Aliases
Published
2026-07-02T14:13:09.589522Z
Modified
2026-07-06T08:11:16.165274596Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
  • 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Apache Airflow vulnerable to XSS and local file disclosure
Details

A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process.

References

Affected packages

PyPI / airflow

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.10.6

Affected versions

0.*
0.6

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/airflow/PYSEC-2026-617.yaml"