CVE-2023-42792: Apache Airflow vulnerable to privilege escalation

October 14, 2023 (updated February 13, 2025)

Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn’t.

Users of Apache Airflow are strongly advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.

References

github.com/advisories/GHSA-j3w8-2p2h-mrr9
github.com/apache/airflow
github.com/apache/airflow/pull/34366
github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-203.yaml
lists.apache.org/thread/1spbo9nkn49fc2hnxqm9tf6mgqwp9tjq
nvd.nist.gov/vuln/detail/CVE-2023-42792

Code Behaviors & Features

Detect and mitigate CVE-2023-42792 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →