Apache Airflow Experimental API Authentication Bypass Vulnerability

A vulnerability exists in Apache Airflow versions prior to 1.10.11, where the Experimental API allowed unauthenticated access by default. This default setting posed security risks, as users could inadvertently make unprotected API requests. Although the default has been changed to deny all requests in version 1.10.11, existing users must manually update their configuration to reflect this change. The vulnerability can be exploited by creating a malicious DAG that executes arbitrary commands, leveraging the authentication bypass to gain unauthorized access.

Impact

Exploitation of this vulnerability allows for unauthenticated access to the Experimental API, enabling the creation of malicious DAGs that can execute arbitrary commands on the server where Airflow is running.

Reproduction

To reproduce this vulnerability, first ensure that Apache Airflow is running a version prior to 1.10.11. Then, access the Experimental API without authentication, which should be allowed by default in these earlier versions. Once unauthenticated access is confirmed, create a DAG that includes a command injection payload and execute it. This can be done using the Airflow API to trigger the execution of the DAG, which will run the injected commands on the server.

Remediation

Users of Apache Airflow should update to version 1.10.11 or later. For those unable to upgrade, it's essential to change the API authentication backend to 'airflow.api.auth.backend.deny_all'.