The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3.

Affected Packages

PyPI apache-airflow

Affected versions: 2.0.0 (fixed in 2.1.3)

Related CVEs

CVE-2021-38540

Key Information

GHSA ID

GHSA-h88f-r7cw-8fv3

Published

May 24, 2022 7:14 PM

Last Modified

September 11, 2024 7:50 PM

CVSS Score

9.0 /10

Primary Ecosystem

PyPI

Primary Package

apache-airflow

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 24, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.