Apache Airflow Providers Edge3 Edge3 Worker RPC Remote Code Execution Vulnerability on Airflow 2

A remote code execution vulnerability has been identified in the Apache Airflow Providers Edge3, specifically in versions prior to 2.0.0, and only when installed and configured on Airflow 2. This vulnerability arises from the Edge3 provider's support in Airflow 2, which was intended for development purposes only. When the Edge3 provider was installed and configured, it activated a non-public API that allowed DAG authors to execute remote code in the webserver context, a capability they should not have had. Users affected by this vulnerability are advised to uninstall the Edge3 provider and migrate to Airflow 3, as the newer versions of the Edge3 provider (2.0.0 and above) are not compatible with Airflow 2 and do not contain the vulnerable code.

Impact

Exploitation of this vulnerability allows for remote code execution in the context of the Airflow webserver.

Remediation

Users should uninstall the Edge3 provider for Airflow 2 and migrate to Airflow 3. Instructions for this process can be found in the Apache Airflow documentation.