By vendor

Apache vulnerabilities

Known CVEs affecting Apache products, prioritized by severity, with SEC.co remediation and detection guidance.

15 published vulnerabilities

  • CVE-2026-42359HIGH 8.8

    Apache Airflow contains a bypass of an earlier security fix that allows authenticated users with restricted permissions to inject malicious code into deferred tasks. An attacker with legitimate write access to task metadata can craft a specially formatted request to set hidden configuration values that trigger remote code execution when the task resumes. This affects organizations where any untrusted team members have editing permissions on Airflow workflows.

  • CVE-2026-35563HIGH 8.5

    A flaw in Apache Directory LDAP API version 2.1.7 allows an attacker with network interception capability to impersonate an LDAP server. The library validates that a certificate is signed by a trusted authority but fails to confirm that the certificate was actually issued for the LDAP server being connected to. An attacker positioned between a client and server can present any valid certificate from their trust store, hijacking the connection and accessing sensitive authentication and directory data.

  • CVE-2026-42588HIGH 8.1

    Apache ActiveMQ's web console exposes a remote interface (Jolokia) that allows authenticated users to interact with the message broker's management functions. An attacker who has legitimate access credentials can craft a specially formed network connector request that tricks the broker into loading and executing arbitrary code hidden in a Spring XML configuration file. The vulnerability exists because the broker doesn't properly validate the input before processing it, and Spring automatically instantiates code within those XML files before any security checks occur.

  • CVE-2026-41084HIGH 7.5

    A flaw in Apache Airflow's task management API allows an authenticated user with editing permission on one workflow (DAG) to secretly modify task states in completely different workflows—including those owned by other teams. The vulnerability exploits a mismatch between authorization checks (which validate against the workflow in the URL) and the actual workflow being modified (specified in the request body). An attacker with legitimate access to edit one workflow can bypass permission controls to interfere with unrelated workflows, potentially disrupting operations, hiding failures, or triggering unintended task executions.

  • CVE-2026-40961HIGH 7.2

    Apache Airflow contains a flaw in its login redirect mechanism that allows authenticated users to redirect people to malicious websites. The vulnerability exists because the URL safety check (`is_safe_url`) can be circumvented through crafted URLs, enabling attackers to potentially harvest credentials or distribute malware by making the redirect appear to come from a trusted Airflow instance. Any organization running Airflow and allowing authentication should treat this as a priority.

  • CVE-2025-48977MEDIUM 6.5

    Apache Ignite REST API contains a path traversal vulnerability that allows authenticated users to read arbitrary files from the server by manipulating the log path parameter in API commands. An attacker with valid REST API credentials can escape the intended log directory and access sensitive files anywhere on the system. This affects Ignite versions 2.0.0 through 2.17.0, and the vendor has released version 2.18.0 to address it.

  • CVE-2026-40861MEDIUM 6.5

    CVE-2026-40861 is a path traversal vulnerability in Apache Airflow that allows a DAG (Directed Acyclic Graph) author to read or write arbitrary files on the system when the worker and API server share a log directory. An attacker with DAG authoring privileges can either create symbolic links in their task's log folder to access sensitive files like `/etc/passwd` or `airflow.cfg`, or inject path traversal sequences (`..`) in task IDs to escape the intended log directory. The vulnerability exposes confidential configuration data and could enable file overwrites on the API server's filesystem.

  • CVE-2026-42358MEDIUM 6.5

    Apache Airflow's secret-masking feature, which is supposed to hide sensitive values in Variables when they're accessed through the UI or API, has a flaw that lets authenticated users read plaintext secrets stored in deeply nested JSON structures. The masking tool gives up checking for sensitive key names (like 'password', 'token', 'secret', 'api_key') once it reaches a certain nesting depth, so secrets buried deeper than that limit slip through unmasked. Any user with permission to read Variables can exploit this. This is a follow-up to an earlier fix; that patch addressed shallow nesting, but didn't raise the depth limit itself, leaving the same bypass hole for deeper structures.

  • CVE-2026-42360MEDIUM 6.5

    Apache Airflow has a flaw in how it protects sensitive information embedded within complex data structures (like JSON templates). When a workflow template is large enough to exceed Airflow's size limit for storing template data, the system converts it to plain text before masking secrets—a process that loses track of nested sensitive fields like passwords, tokens, and API keys. An authenticated user with access to read stored template fields could then retrieve these unmasked secrets. The issue affects Airflow deployments where workflow authors pass structured data containing nested sensitive values to operators. Even organizations that patched a related vulnerability (CVE-2025-68438) last year need to apply this additional update, as that earlier fix did not address this specific nested-key masking gap.

  • CVE-2026-42253MEDIUM 6.1

    Apache ActiveMQ's web console contains a cross-site scripting (XSS) vulnerability that allows an attacker to inject malicious content into HTTP response headers. The flaw exists in how the MessageServlet handles JMS message properties—it copies them directly into HTTP headers without filtering or validation. An attacker who can craft a JMS message with specially crafted properties could inject security headers, potentially leading to session hijacking, credential theft, or malware delivery when a user views the affected web console. The vulnerability requires user interaction (a victim must view the injected content) and affects versions of ActiveMQ and ActiveMQ Web released before 5.19.7 and 6.2.6.

  • CVE-2026-41017MEDIUM 5.9

    Apache Airflow's JWT authentication middleware fails to mark session cookies as secure, exposing them to interception when the API server sits behind a TLS-terminating reverse proxy—a standard cloud architecture. An attacker on a shared network (public Wi-Fi, compromised LAN, or captive portal) can intercept an authenticated user's session token and replay it to gain API access. The vulnerability only materializes in specific deployment topologies where the reverse proxy strips HTTPS before forwarding to Airflow; teams running Airflow with end-to-end encryption or without reverse proxies are not affected. Apache Airflow 3.2.2 and later patch this issue.

  • CVE-2026-40914MEDIUM 4.3

    Apache Artemis has a flaw in how it enforces permissions when users communicate via the STOMP protocol. A user with permission to send or receive messages on a particular address can trick the system into accepting messages with a message routing-type that the address doesn't normally support. This bypasses an important security boundary: only administrators with explicit createAddress permission should be able to change an address's routing-type capabilities. An attacker could exploit this to send or consume messages in ways that violate the intended security policy, even though their basic send/consume permissions are legitimate.

  • CVE-2026-41014MEDIUM 4.3

    Apache Airflow contains an authorization bypass in its UI that allows authenticated users to view information about data pipeline runs (DAGs) they shouldn't have access to. Specifically, a user with broad asset-level read permissions can see partition run states, scheduling details, and data connections for DAGs restricted to other teams or users. This affects only deployments that intentionally segment DAG access by user or role while granting wider asset visibility. The vulnerability requires an existing user account and network access to the Airflow UI or API.

  • CVE-2026-41115MEDIUM 4.3

    Apache Kafka contains an authorization mismatch in its consumer group metadata API. The CONSUMER_GROUP_DESCRIBE operation checks for DESCRIBE permission on groups, but Kafka's documentation and the relevant design specification (KIP-848) incorrectly state it should check for READ permission. This inconsistency between code behavior and documentation can lead to misconfigured access controls—either granting unintended READ access to users who only have DESCRIBE permissions, or blocking legitimate access for users who rely on documentation-based ACL configurations. The vulnerability is not a code flaw but a documentation gap that can cause real-world security postures to diverge from intent.

  • CVE-2026-40963LOW 3.1

    Apache Airflow's UI structure_data endpoint was leaking metadata about linked workflows (DAGs) to users who shouldn't see them. An authenticated user with permission to view one workflow could discover the names and dependency relationships of other workflows they weren't authorized to access. This is a read-only information disclosure—no data modification or system disruption occurs—but it can undermine team isolation in multi-tenant Airflow deployments where workflow topology is considered sensitive.