Airflow Summit 2025 is coming October 07-09. Register now for early bird ticket!

SQL Injection

Previously, Airflow issued CVE like CVE-2025-27018 SQL injection in MySQL provider core function. The CVE were about the ability to inject SQL without considering the actor performing it. Airflow will no longer issue CVE for cases of SQL Injection unless the reporter can demonstrate a scenario of exploitation. For example, if in a security report the only actor that can operate the injection is Actor who has access to DAGs folder the report will be rejected. When submitting a security report of SQL injection the reporter must explain who is the user that can utilize the injection and how the user gained access to be able to perform it. In simple words, if a user has legit access to write and access the specific DAG, there is no risk that this user will do SQL injection.

Was this entry helpful?