Apache Airflow DAG Code Execution Vulnerability via API Endpoint

Vulnerability

A vulnerability in Apache Airflow versions 3.0.0 prior to 3.1.1 allows API users to execute DAG code through the '/api/v2/dagReports' endpoint. This issue arises if the API server is deployed in an environment where DAG files are accessible.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of DAG Python code in the context of the API server.

Added: Oct 30, 2025, 10:18 AM

Updated: Oct 30, 2025, 3:16 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

10.0

exploitability

5.2

remediation

0.0

relevance

0.8

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

10.0

exploitability

5.2

remediation

0.0

relevance

0.8

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Airflow DAG Code Execution Vulnerability via API Endpoint

Vulnerability

Impact

Affected Products

Apache Airflow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating