Airflow · Airflow · CVE-2024-31869
**Name of the Vulnerable Software and Affected Versions**
Airflow versions 2.7.0 through 2.8.4
**Description**
The issue is related to insufficient protection of internal data, allowing an authenticated user to access sensitive provider configuration via the "configuration" UI page when the "non-sensitive-only" option is set as "webserver.expose config" configuration. This primarily affects the Celery provider, which has sensitive configurations.
**Recommendations**
For Airflow versions 2.7.0 through 2.8.4, migrate to Airflow 2.9 or change the "expose config" configuration to False as a workaround.