Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc.

Users should upgrade to version 2.7.1 or later which has removed the vulnerability.

Affected Packages

PyPI apache-airflow

Affected versions: 0 (fixed in 2.7.1)

Related CVEs

CVE-2023-40611

Key Information

GHSA ID

GHSA-wpg8-mf6h-gm92

Published

September 12, 2023 6:58 PM

Last Modified

February 13, 2025 7:11 PM

CVSS Score

5.0 /10

Primary Ecosystem

PyPI

Primary Package

apache-airflow

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 23, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.