Apache · Apache Airflow · CVE-2021-38540
**Name of the Vulnerable Software and Affected Versions**
Apache Airflow versions 2.0.0 through 2.1.2
**Description**
The issue concerns the variable import endpoint not being protected by authentication. This allows unauthenticated users to access the endpoint, potentially leading to denial of service, information disclosure, or remote code execution by adding or modifying Airflow variables used in DAGs.
**Recommendations**
For Apache Airflow versions 2.0.0 through 2.1.2, update to version 2.1.3 or later to resolve the issue.
As a temporary workaround, consider restricting access to the variable import endpoint until a patch is available.