AVID-2026-R0721

Description

Apache Airflow: Lineage API endpoint for Experimental API missed authentication check (CVE-2021-26697)

Details

The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue affects Apache Airflow 2.0.0.

Reason for inclusion in AVID: CVE-2021-26697 describes an authentication bypass vulnerability in Apache Airflow’s Experimental API lineage endpoint. Airflow is a workflow/orchestration tool commonly used to run AI/ML pipelines, so the vulnerability is AI-related and resides in a component used to build/deploy AI systems. It is a security vulnerability with unauthorized access risk, and the candidate report provides explicit CVE details and references to support classification.

References

• NVD entry
• https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cusers.airflow.apache.org%3E
• http://www.openwall.com/lists/oss-security/2021/02/17/2
• https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cdev.airflow.apache.org%3E
• https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cusers.airflow.apache.org%3E
• https://lists.apache.org/thread.html/r36111262a59219a3e2704c71e97cf84937dae5ba7a1da99499e5d8f9%40%3Cannounce.apache.org%3E

Affected or Relevant Artifacts

• Developer: Apache Software Foundation
• Deployer: Apache Software Foundation
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2021-02-17
• Version: 0.3.3
• AVID Entry