← back
CVE-2020-13927

CVE-2020-13927

CVSS 9.8 CRITICALEPSS 99.7%● KEVCWE-1056CWE-1188CWE-306
In short

Apache Airflow's Experimental API was open to all users by default without requiring authentication, allowing anyone with network access to control workflows and data. This was changed in version 1.10.11 to deny all requests by default, but existing installations remain vulnerable unless manually configured.

Technical detail

The Experimental API endpoint lacked authentication enforcement by default (CWE-306), allowing unauthenticated remote attackers to make arbitrary API calls over the network. Exploitation requires only network access to the Airflow instance; the vulnerability affects pre-1.10.11 deployments and those that have not explicitly configured the deny_all auth backend. Impact includes unauthorized workflow manipulation, data exfiltration, and potential remote code execution through DAG uploads.

Summary generated and translated by AI from the official description.
The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · Apache Airflow
public PoCs found3
cve_referencepacketstormsecurity.com/files/162908/Apache-Airflow-1.10.10-Remote-Code-Execution.htmlunverifiedcve_referencepacketstormsecurity.com/files/174764/Apache-Airflow-1.10.10-Remote-Code-Execution.htmlunverifiedexploitdbwww.exploit-db.com/exploits/49927unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/162908/Apache-Airflow-1.10.10-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/174764/Apache-Airflow-1.10.10-Remote-Code-Execution.htmlhttps://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3Ehttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13927