If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow < 2.1.2.

Affected Packages

PyPI apache-airflow

Affected versions: 0 (fixed in 2.1.2)

Related CVEs

CVE-2021-35936

Key Information

GHSA ID

GHSA-m6h2-jx9v-58w6

Published

August 30, 2021 4:25 PM

Last Modified

September 11, 2024 7:51 PM

CVSS Score

5.0 /10

Primary Ecosystem

PyPI

Primary Package

apache-airflow

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 23, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.