CVE-2026-32794: Apache Airflow Provider for Databricks: TLS Certificate Verification is Disabled in Databricks Provider K8s Token Exchange

March 31, 2026 (updated April 1, 2026)

Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider code did not validate certificates for connections to Databricks back-end which could result in a man-of-a-middle attack that traffic is intercepted and manipulated or credentials exfiltrated w/o notice.

This issue affects Apache Airflow Provider for Databricks: from 1.10.0 before 1.12.0.

Users are recommended to upgrade to version 1.12.0, which fixes the issue.

References

github.com/advisories/GHSA-wrpj-755p-x363
github.com/apache/airflow
github.com/apache/airflow/pull/63704
lists.apache.org/thread/hn17yqsgsdtl81llvhf80rkp53hnz5nb
nvd.nist.gov/vuln/detail/CVE-2026-32794

Code Behaviors & Features

Detect and mitigate CVE-2026-32794 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →