CVE-2024-56373
Arbitrary Code Execution via Log Template in Apache Airflow
Publication date: 2026-02-24
Last updated on: 2026-02-24
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | airflow | to 2.11.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to upgrade your Apache Airflow installation to version 2.11.1 or later, or to Airflow 3, where the vulnerable functionality (LogTemplate table usage) is disabled by default.
If upgrading is not immediately possible, you should manually disable the use of the LogTemplate table in your Airflow configuration by modifying the relevant configuration file (`airflow/config_templates/config.yml`) to ensure that log template history is disabled.
Additionally, users can manually modify historical log file names to view logs generated before the last log template change without enabling the vulnerable functionality.
Can you explain this vulnerability to me?
CVE-2024-56373 is a vulnerability in Apache Airflow where a DAG Author, who already has significant permissions, can manipulate the Airflow database to execute arbitrary code within the web-server context. This occurs through the log template history functionality, which allows code execution when a user views historical task information, something they should not normally be able to do.
To mitigate this risk, the use of the LogTemplate table has been disabled by default starting with Airflow version 2.11.1. This prevents the system from querying the LogTemplate table during log rendering, thereby reducing the attack surface and preventing potential remote code execution in the webserver.
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution on the Airflow web-server. If exploited, an attacker with DAG Author permissions could execute arbitrary code in the server context, potentially compromising the server, accessing sensitive data, or disrupting workflows.
Because the vulnerability is triggered when users view historical task information, it could be exploited remotely by users who have access to the Airflow web interface, increasing the risk of unauthorized control over the Airflow environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the Airflow instance is using the LogTemplate table for rendering logs, as this is the functionality that introduces the risk.
You can verify the Airflow configuration to see if the LogTemplate table usage is enabled or disabled by inspecting the configuration file `airflow.cfg` or the relevant configuration template file (`airflow/config_templates/config.yml`).
A practical command to check the configuration setting could be:
- grep -i log_template airflow.cfg
Additionally, reviewing the Airflow version can help determine if the fix is applied:
- airflow version
If the version is 2.11.1 or later (or Airflow 3), the vulnerability should be mitigated by default.