Ephraim Anierobi

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions prior to 2.8.0 **Description** The issue is related to improper access control in Apache Airflow, allowing an authenticated user without the variable edit permission to update a variable. This compromises the integrity of variable management and could lead to unauthorized data modification. **Recommendations** For Apache Airflow versions prior to 2.8.0, upgrade to version 2.8.0 to fix the issue. As a temporary workaround, consider restricting access to the variable management feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions prior to 2.7.2 **Description** The issue allows an authorized user with access to read specific DAGs only to read information about task instances in other DAGs. This is due to a lack of protection for internal data. Exploitation of this issue may allow a remote attacker to gain read access to data. **Recommendations** For versions prior to 2.7.2, upgrade to version 2.7.2 or newer to mitigate the risk associated with this issue.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions prior to 2.6.3 **Description** The issue allows an unauthorized actor to gain access to sensitive information in the Connection edit view. This is considered a low-risk vulnerability as it requires access to Connection resources and specific actions to exploit. **Recommendations** For versions prior to 2.6.3, upgrade to version 2.6.3 or later to resolve the issue.