airflow-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaxil Naik <>
Subject CVE-2021-35936: Apache Airflow: No Authentication on Logging Server
Date Fri, 13 Aug 2021 12:20:03 GMT

If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler
(in the case of LocalExecutor) runs a Flask logging server and is listening on a specific
port and also binds on by default.
This logging server had no authentication and allows reading log files of DAG jobs.

This issue affects Apache Airflow < 2.1.2.


Use remote logging with GCS, S3, Elasticsearch etc. This is recommended for production environments.

And do not publicly expose any other ports apart from Webserver port, Flower port etc.


Apache Airflow would like to thank Dolev Farhi for reporting this issue.

View raw message