Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN526
_____________________________________________________________________

DATE                : 20/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow CNCF Kubernetes
                         provider versions prior to 10.17.0,
             Apache Airflow Amazon provider versions prior to 9.28.0.

=====================================================================
https://lists.apache.org/thread/0bcym88d5dplbygzdbf8typ9kg15m87k
https://lists.apache.org/thread/rxydhbt4k00wokn1dldw2wpwjltbox4s
_____________________________________________________________________

CVE-2026-27173: Apache Airflow CNCF Kubernetes provider: JWT Token
Exposure in KubernetesExecutor Command-Line Arguments

Severity: Moderate 

Affected versions:

- Apache Airflow CNCF Kubernetes provider
(apache-airflow-providers-cncf-kubernetes) before 10.17.0

Description:

JWT tokens that were used by workers in Kubernetes Executors have been
exposed to users who had read only access to Kuberentes Pods. This
could allow users with just read-only access to perform actions that
were only available to running tasks via Task SDK and potentially allow
to modify state of Airflow Database for tasks.

Credit:

Nikolai Dvoinishnikov, Welltory (finder)
Anton Kuznetsov, Welltory (finder)
Anish Giri (remediation developer)

References:

https://github.com/apache/airflow/pull/60108
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-27173

_____________________________________________________________________

CVE-2026-42526: Apache Airflow Amazon provider: Prevent unauthorized
access to team-scoped secrets in AWS Secrets Manager and SSM
Parameter Store backends
Severity: low 

Affected versions:

- Apache Airflow Amazon provider (apache-airflow-providers-amazon)
before 9.28.0

Description:

In the AWS Secrets Manager and SSM Parameter Store secrets backends
of `apache-airflow-providers-amazon` prior to 9.28.0, the
team-scoping logic could resolve a `conn_id` containing
a `/` (e.g. `"my_team/conn"`) to the same path as another team's
team-scoped secret when the caller had no team context. A
privileged caller without team context could therefore retrieve
another team's secret by crafting a colliding `conn_id`. Fixed in
9.28.0 by switching the team-scope separator to `--` and rejecting
team-shaped `conn_id`s when team context is absent. Affects the
experimental multi-tenant teams feature only. Users are recommended
to upgrade to `apache-airflow-providers-amazon` 9.28.0, which
fixes the issue.

Credit:

Justin Pakzad (remediation developer)

References:

https://github.com/apache/airflow/pull/65703
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-42526



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================