Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerability that allows an authenticated user to retrieve sensitive configuration information when the `expose_config` option is set to `non-sensitive-only`. The `expose_config` option is `False` by default. It is recommended to upgrade to a version that is not affected.

Affected Packages

PyPI apache-airflow

Affected versions: 2.7.0 (fixed in 2.7.2)

Related CVEs

CVE-2023-45348

Key Information

GHSA ID

GHSA-fpxx-xv4c-gxqp

Published

October 14, 2023 12:30 PM

Last Modified

March 6, 2024 11:47 PM

CVSS Score

5.0 /10

Primary Ecosystem

PyPI

Primary Package

apache-airflow

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 27, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.