Description

DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (server-side) as a result of a user viewing historical task information. The functionality responsible for that (log template history) has been disabled by default in 2.11.1 and users should upgrade to Airflow 3 if they want to continue to use log template history. They can also manually modify historical log file names if they want to see historical logs that were generated before the last log template change.

INFO

Published Date :

2026-02-24T10:06:41.162Z

Last Modified :

2026-02-26T14:44:09.219Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2024-56373 vulnerability.

Vendors Products
Apache
  • Airflow
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-56373.

URL Resource
http://www.openwall.com/lists/oss-security/2026/02/23/3 cve-icon
https://github.com/apache/airflow/pull/61880 cve-icon cve-icon
https://lists.apache.org/thread/2vrmrhcht6g7cp5yjxpnrk2wtrncm6cy cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact