We use cookies to improve your experience on our site.
AVID-2026-R1509
Description
Apache Airflow: DAG Author Code Execution possibility in airflow-scheduler (CVE-2024-39877)
Details
Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability.
Reason for inclusion in AVID: CVE-2024-39877 describes an authenticated code execution vulnerability in Apache Airflow’s scheduler via DAG author input (doc_md). Apache Airflow is a core orchestration/CI-CD-like component used to build, train, deploy, and run AI pipelines and workflows. Thus it is a software supply-chain issue affecting AI systems, not a hardware/firmware-only vulnerability. It is a security/safety vulnerability (remote code execution in scheduler context) with clear evidence in the CVE entry and associated references.
References
- NVD entry
- https://github.com/apache/airflow/pull/40522
- https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Airflow |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-94 | CWE-94 Improper Control of Generation of Code (‘Code Injection’) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-07-17
- Version: 0.3.3
- AVID Entry