CVE-2021-26559

CVE-2021-26559: CWE-284 Improper Access Control on Configurations Endpoint for the Stable API

Vendor Apache Software Foundation
Product Apache Airflow
Weakness CWE-284
Published February 17, 2021
Last update February 13, 2025

CVSS base score

What the vulnerability does

01Description

Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0.

Key dates

02Disclosure timeline

February 17, 2021 CVE published
February 13, 2025 Record updated