CVE-2023-49920

Name of the Vulnerable Software and Affected Versions Apache Airflow versions 2.7.0 through 2.7.3

Description The issue is related to insufficient authentication of executed requests in Apache Airflow, allowing an attacker to trigger a DAG in a GET request without CSRF validation. This could enable a malicious website opened in the same browser as the Airflow UI to trigger the execution of DAGs without the user's consent.

Recommendations For Apache Airflow versions 2.7.0 through 2.7.3, upgrade to version 2.8.0 or later, which is not affected by this issue. As a temporary workaround, consider restricting access to the Airflow UI to minimize the risk of exploitation.