{"id":"CVE-2021-26559","details":"Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0.","aliases":["BIT-airflow-2021-26559","GHSA-ffw3-6mp6-jmvj","PYSEC-2021-2"],"modified":"2026-04-12T00:09:21.493295Z","published":"2021-02-17T15:15:13.500Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/rd142565996d7ee847b9c14b8a9921dcf80bc6bc160e3d9dca6dfc2f8%40%3Cannounce.apache.org%3E"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/02/17/1"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/airflow","events":[{"introduced":"0"},{"last_affected":"8217db8cb4b1ff302c5cf8662477ac00f701e78c"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"2.0.0"}],"cpe":"cpe:2.3:a:apache:airflow:2.0.0:*:*:*:*:*:*:*"}}],"versions":["0.1","0.11","0.2","0.2.1","0.2.2","0.2.3","0.3","0.3.1","0.3.2","0.4","0.4.1","0.4.2","0.4.3","0.4.5","0.5.0","1.0.1","1.1.0","1.1.1","1.2.0","1.3.0","1.4.0","1.5.0","1.5.1","1.6.0","1.6.1","1.7.0rc1","1.7.1rc1","2.0.0","2.0.0a1","2.0.0a2","2.0.0b1","2.0.0b2","2.0.0b3","2.0.0rc1","2.0.0rc2","2.0.0rc3","airbnb_1.7.1rc1","airbnb_1.7.1rc10","airbnb_1.7.1rc3","airbnb_prod.1.6.1.0","airbnb_prod.1.6.1.1","airbnb_prod.1.6.1.2","airbnb_prod.1.6.1.3","airbnb_prod.1.6.1.4","airbnb_prod.1.6.1.5","airbnb_prod.1.6.2.4","airbnb_prod.1.6.2.5","airbnb_prod.1.6.2.7","airbnb_prod.1.6.2.8","airbnb_prod.1.6.2.9","backport-providers-2020.10.29","backport-providers-2020.10.29rc1","backport-providers-2020.10.5","backport-providers-2020.10.5rc1","backport-providers-2020.11.13","backport-providers-2020.11.13rc1","backport-providers-2020.11.23","backport-providers-2020.11.23rc1","backport-providers-2020.2.5rc1","backport-providers-2020.5.20rc1","backport-providers-2020.5.20rc2","backport-providers-2020.5.20rc3","backport-providers-2020.6.24","backport-providers-2020.6.24rc1","backport-providers-2021.2.5","backport-providers-2021.2.5rc1","backport-providers-2021.3.13","backport-providers-2021.3.13rc1","backport-providers-2021.3.17","backport-providers-2021.3.17rc1","backport-providers-2021.3.3","backport-providers-2021.3.3rc1","helm-chart/1.0.0","helm-chart/1.0.0rc1","helm-chart/1.0.0rc2","helm-chart/v1.0.1-dev1","legacy-backport-cutoff-point","master-nightly","nightly","nightly-main","nightly-master","oss-helm-chart/1.1.0-rc1","providers-1.0.0b2","providers-airbyte/1.0.0","providers-airbyte/1.0.0rc1","providers-airbyte/2.0.0","providers-airbyte/2.0.0rc1","providers-airbyte/2.0.0rc2","providers-amazon/1.0.0","providers-amazon/1.1.0","providers-amazon/1.1.0rc1","providers-amazon/1.2.0","providers-amazon/1.2.0rc1","providers-amazon/1.3.0","providers-amazon/1.3.0rc1","providers-amazon/1.4.0","providers-amazon/1.4.0rc1","providers-amazon/2.0.0","providers-amazon/2.0.0rc1","providers-amazon/2.0.0rc2","providers-apache-beam/1.0.0","providers-apache-beam/1.0.0rc1","providers-apache-beam/1.0.1","providers-apache-beam/1.0.1rc1","providers-apache-beam/1.0.1rc2","providers-apache-beam/2.0.0","providers-apache-beam/2.0.0rc1","providers-apache-beam/3.0.0","providers-apache-beam/3.0.0rc1","providers-apache-beam/3.0.0rc2","providers-apache-cassandra/1.0.0","providers-apache-cassandra/1.0.1","providers-apache-cassandra/1.0.1rc1","providers-apache-cassandra/2.0.0","providers-apache-cassandra/2.0.0rc1","providers-apache-cassandra/2.0.0rc2","providers-apache-druid/1.0.0","providers-apache-druid/1.0.1","providers-apache-druid/1.0.1rc1","providers-apache-druid/1.1.0","providers-apache-druid/1.1.0rc1","providers-apache-druid/1.1.0rc2","providers-apache-druid/2.0.0","providers-apache-druid/2.0.0rc1","providers-apache-druid/2.0.0rc2","providers-apache-hdfs/1.0.0","providers-apache-hdfs/1.0.1","providers-apache-hdfs/1.0.1rc1","providers-apache-hdfs/2.0.0","providers-apache-hdfs/2.0.0rc1","providers-apache-hdfs/2.0.0rc2","providers-apache-hive/1.0.0","providers-apache-hive/1.0.1","providers-apache-hive/1.0.1rc1","providers-apache-hive/1.0.2","providers-apache-hive/1.0.2rc1","providers-apache-hive/1.0.3","providers-apache-hive/1.0.3rc1","providers-apache-hive/2.0.0","providers-apache-hive/2.0.0rc1","providers-apache-hive/2.0.0rc2","providers-apache-kylin/1.0.0","providers-apache-kylin/1.0.1","providers-apache-kylin/1.0.1rc1","providers-apache-kylin/2.0.0","providers-apache-kylin/2.0.0rc1","providers-apache-kylin/2.0.0rc2","providers-apache-livy/1.0.0","providers-apache-livy/1.0.1","providers-apache-livy/1.0.1rc1","providers-apache-livy/1.1.0","providers-apache-livy/1.1.0rc1","providers-apache-livy/2.0.0","providers-apache-livy/2.0.0rc1","providers-apache-livy/2.0.0rc2","providers-apache-pig/1.0.0","providers-apache-pig/1.0.1","providers-apache-pig/1.0.1rc1","providers-apache-pig/2.0.0","providers-apache-pig/2.0.0rc1","providers-apache-pig/2.0.0rc2","providers-apache-pinot/1.0.0","providers-apache-pinot/1.0.1","providers-apache-pinot/1.0.1rc1","providers-apache-pinot/2.0.0","providers-apache-pinot/2.0.0rc1","providers-apache-pinot/2.0.0rc2","providers-apache-spark/1.0.0","providers-apache-spark/1.0.1","providers-apache-spark/1.0.1rc1","providers-apache-spark/1.0.2","providers-apache-spark/1.0.2rc1","providers-apache-spark/1.0.3","providers-apache-spark/1.0.3rc1","providers-apache-spark/2.0.0","providers-apache-spark/2.0.0rc1","providers-apache-spark/2.0.0rc2","providers-apache-sqoop/1.0.0","providers-apache-sqoop/1.0.1","providers-apache-sqoop/1.0.1rc1","providers-apache-sqoop/2.0.0","providers-apache-sqoop/2.0.0rc1","providers-apache-sqoop/2.0.0rc2","providers-asana/1.0.0","providers-asana/1.0.0rc1","providers-asana/1.0.0rc2","providers-celery/1.0.0","providers-celery/1.0.1","providers-celery/1.0.1rc1","providers-celery/2.0.0","providers-celery/2.0.0rc1","providers-celery/2.0.0rc2","providers-cloudant/1.0.0","providers-cloudant/1.0.1","providers-cloudant/1.0.1rc1","providers-cloudant/2.0.0","providers-cloudant/2.0.0rc1","providers-cloudant/2.0.0rc2","providers-cncf-kubernetes/1.0.0","providers-cncf-kubernetes/1.0.1","providers-cncf-kubernetes/1.0.1rc1","providers-cncf-kubernetes/1.0.2","providers-cncf-kubernetes/1.0.2rc1","providers-cncf-kubernetes/1.1.0","providers-cncf-kubernetes/1.1.0rc1","providers-cncf-kubernetes/1.2.0","providers-cncf-kubernetes/1.2.0rc1","providers-cncf-kubernetes/2.0.0","providers-cncf-kubernetes/2.0.0rc1","providers-cncf-kubernetes/2.0.0rc2","providers-databricks/1.0.0","providers-databricks/1.0.1","providers-databricks/1.0.1rc1","providers-databricks/2.0.0","providers-databricks/2.0.0rc1","providers-databricks/2.0.0rc2","providers-datadog/1.0.0","providers-datadog/1.0.1","providers-datadog/1.0.1rc1","providers-datadog/2.0.0","providers-datadog/2.0.0rc1","providers-datadog/2.0.0rc2","providers-dingding/1.0.0","providers-dingding/1.0.1","providers-dingding/1.0.1rc1","providers-dingding/1.0.2","providers-dingding/1.0.2rc1","providers-dingding/2.0.0","providers-dingding/2.0.0rc1","providers-dingding/2.0.0rc2","providers-discord/1.0.0","providers-discord/1.0.1","providers-discord/1.0.1rc1","providers-discord/2.0.0","providers-discord/2.0.0rc1","providers-discord/2.0.0rc2","providers-docker/1.0.0","providers-docker/1.0.1","providers-docker/1.0.1rc1","providers-docker/1.0.2","providers-docker/1.0.2rc1","providers-docker/1.1.0","providers-docker/1.1.0rc1","providers-docker/1.2.0","providers-docker/1.2.0rc1","providers-docker/2.0.0","providers-docker/2.0.0rc1","providers-docker/2.0.0rc2","providers-elasticsearch/1.0.0","providers-elasticsearch/1.0.1","providers-elasticsearch/1.0.1rc1","providers-elasticsearch/1.0.2","providers-elasticsearch/1.0.2rc1","providers-elasticsearch/1.0.3","providers-elasticsearch/1.0.3rc1","providers-elasticsearch/1.0.4","providers-elasticsearch/1.0.4rc1","providers-elasticsearch/2.0.0rc1","providers-elasticsearch/2.0.1","providers-elasticsearch/2.0.1rc1","providers-exasol/1.0.0","providers-exasol/1.1.0","providers-exasol/1.1.0rc1","providers-exasol/1.1.1","providers-exasol/1.1.1rc1","providers-exasol/2.0.0","providers-exasol/2.0.0rc1","providers-exasol/2.0.0rc2","providers-facebook/1.0.0","providers-facebook/1.0.1","providers-facebook/1.0.1rc1","providers-facebook/1.1.0","providers-facebook/1.1.0rc1","providers-facebook/2.0.0","providers-facebook/2.0.0rc1","providers-facebook/2.0.0rc2","providers-ftp/1.0.0","providers-ftp/1.0.1","providers-ftp/1.0.1rc1","providers-ftp/1.1.0","providers-ftp/1.1.0rc1","providers-ftp/2.0.0","providers-ftp/2.0.0rc1","providers-ftp/2.0.0rc2","providers-google/1.0.0","providers-google/2.0.0","providers-google/2.0.0rc1","providers-google/2.1.0","providers-google/2.1.0rc1","providers-google/2.2.0","providers-google/2.2.0rc1","providers-google/3.0.0","providers-google/3.0.0rc1","providers-google/4.0.0","providers-google/4.0.0rc1","providers-google/4.0.0rc2","providers-grpc/1.0.0","providers-grpc/1.0.1","providers-grpc/1.0.1rc1","providers-grpc/1.1.0","providers-grpc/1.1.0rc1","providers-grpc/2.0.0","providers-grpc/2.0.0rc1","providers-grpc/2.0.0rc2","providers-hashicorp/1.0.0","providers-hashicorp/1.0.1","providers-hashicorp/1.0.1rc1","providers-hashicorp/1.0.2","providers-hashicorp/1.0.2rc1","providers-hashicorp/2.0.0","providers-hashicorp/2.0.0rc1","providers-hashicorp/2.0.0rc2","providers-http/1.0.0","providers-http/1.1.0","providers-http/1.1.0rc1","providers-http/1.1.1","providers-http/1.1.1rc1","providers-http/2.0.0","providers-http/2.0.0rc1","providers-http/2.0.0rc2","providers-imap/1.0.0","providers-imap/1.0.1","providers-imap/1.0.1rc1","providers-imap/2.0.0","providers-imap/2.0.0rc1","providers-imap/2.0.0rc2","providers-jdbc/1.0.0","providers-jdbc/1.0.1","providers-jdbc/1.0.1rc1","providers-jdbc/2.0.0","providers-jdbc/2.0.0rc1","providers-jdbc/2.0.0rc2","providers-jenkins/1.0.0","providers-jenkins/1.0.1","providers-jenkins/1.0.1rc1","providers-jenkins/1.1.0","providers-jenkins/1.1.0rc1","providers-jenkins/2.0.0","providers-jenkins/2.0.0rc1","providers-jenkins/2.0.0rc2","providers-jira/1.0.0","providers-jira/1.0.1","providers-jira/1.0.1rc1","providers-jira/1.0.2","providers-jira/1.0.2rc1","providers-jira/2.0.0","providers-jira/2.0.0rc1","providers-jira/2.0.0rc2","providers-microsoft-azure/1.0.0","providers-microsoft-azure/1.1.0","providers-microsoft-azure/1.1.0rc1","providers-microsoft-azure/1.2.0","providers-microsoft-azure/1.2.0rc1","providers-microsoft-azure/1.2.0rc2","providers-microsoft-azure/1.3.0","providers-microsoft-azure/1.3.0rc1","providers-microsoft-azure/2.0.0","providers-microsoft-azure/2.0.0rc1","providers-microsoft-azure/3.0.0","providers-microsoft-azure/3.0.0rc1","providers-microsoft-azure/3.0.0rc2","providers-microsoft-mssql/1.0.0","providers-microsoft-mssql/1.0.1","providers-microsoft-mssql/1.0.1rc1","providers-microsoft-mssql/1.1.0","providers-microsoft-mssql/1.1.0rc1","providers-microsoft-mssql/2.0.0","providers-microsoft-mssql/2.0.0rc1","providers-microsoft-mssql/2.0.0rc2","providers-microsoft-winrm/1.0.0","providers-microsoft-winrm/1.0.1","providers-microsoft-winrm/1.0.1rc1","providers-microsoft-winrm/1.1.0","providers-microsoft-winrm/1.1.0rc1","providers-microsoft-winrm/1.2.0","providers-microsoft-winrm/1.2.0rc1","providers-microsoft-winrm/2.0.0","providers-microsoft-winrm/2.0.0rc1","providers-microsoft-winrm/2.0.0rc2","providers-mongo/1.0.0","providers-mongo/1.0.1","providers-mongo/1.0.1rc1","providers-mongo/2.0.0","providers-mongo/2.0.0rc1","providers-mongo/2.0.0rc2","providers-mysql/1.0.0","providers-mysql/1.0.1","providers-mysql/1.0.1rc1","providers-mysql/1.0.2","providers-mysql/1.0.2rc1","providers-mysql/1.1.0","providers-mysql/1.1.0rc1","providers-mysql/2.0.0","providers-mysql/2.0.0rc1","providers-mysql/2.0.0rc2","providers-neo4j/1.0.0","providers-neo4j/1.0.0rc1","providers-neo4j/1.0.1","providers-neo4j/1.0.1rc1","providers-neo4j/2.0.0","providers-neo4j/2.0.0rc1","providers-neo4j/2.0.0rc2","providers-odbc/1.0.0","providers-odbc/1.0.1","providers-odbc/1.0.1rc1","providers-odbc/2.0.0","providers-odbc/2.0.0rc1","providers-odbc/2.0.0rc2","providers-openfaas/1.0.0","providers-openfaas/1.1.0","providers-openfaas/1.1.0rc1","providers-openfaas/1.1.1","providers-openfaas/1.1.1rc1","providers-openfaas/2.0.0","providers-openfaas/2.0.0rc1","providers-openfaas/2.0.0rc2","providers-opsgenie/1.0.0","providers-opsgenie/1.0.1","providers-opsgenie/1.0.1rc1","providers-opsgenie/1.0.2","providers-opsgenie/1.0.2rc1","providers-opsgenie/2.0.0","providers-opsgenie/2.0.0rc1","providers-opsgenie/2.0.0rc2","providers-oracle/1.0.0","providers-oracle/1.0.1","providers-oracle/1.0.1rc1","providers-oracle/1.1.0","providers-oracle/1.1.0rc1","providers-oracle/2.0.0","providers-oracle/2.0.0rc1","providers-oracle/2.0.0rc2","providers-pagerduty/1.0.0","providers-pagerduty/1.0.1","providers-pagerduty/1.0.1rc1","providers-pagerduty/2.0.0","providers-pagerduty/2.0.0rc1","providers-pagerduty/2.0.0rc2","providers-papermill/1.0.0","providers-papermill/1.0.1","providers-papermill/1.0.1rc1","providers-papermill/1.0.2","providers-papermill/1.0.2rc1","providers-papermill/2.0.0","providers-papermill/2.0.0rc1","providers-papermill/2.0.0rc2","providers-plexus/1.0.0","providers-plexus/1.0.1","providers-plexus/1.0.1rc1","providers-plexus/2.0.0","providers-plexus/2.0.0rc1","providers-plexus/2.0.0rc2","providers-postgres/1.0.0","providers-postgres/1.0.1","providers-postgres/1.0.1rc1","providers-postgres/1.0.2","providers-postgres/1.0.2rc1","providers-postgres/2.0.0","providers-postgres/2.0.0rc1","providers-postgres/2.0.0rc2","providers-presto/1.0.0","providers-presto/1.0.1","providers-presto/1.0.1rc1","providers-presto/1.0.2","providers-presto/1.0.2rc1","providers-presto/2.0.0","providers-presto/2.0.0rc1","providers-presto/2.0.0rc2","providers-qubole/1.0.0","providers-qubole/1.0.1","providers-qubole/1.0.1rc1","providers-qubole/1.0.2","providers-qubole/1.0.2rc1","providers-qubole/2.0.0","providers-qubole/2.0.0rc1","providers-qubole/2.0.0rc2","providers-redis/1.0.0","providers-redis/1.0.1","providers-redis/1.0.1rc1","providers-redis/2.0.0","providers-redis/2.0.0rc1","providers-redis/2.0.0rc2","providers-salesforce/1.0.0","providers-salesforce/1.0.1","providers-salesforce/1.0.1rc1","providers-salesforce/2.0.0","providers-salesforce/2.0.0rc1","providers-salesforce/2.0.0rc2","providers-salesforce/3.0.0","providers-salesforce/3.0.0rc1","providers-salesforce/3.0.0rc2","providers-samba/1.0.0","providers-samba/1.0.1","providers-samba/1.0.1rc1","providers-samba/2.0.0","providers-samba/2.0.0rc1","providers-samba/2.0.0rc2","providers-segment/1.0.0","providers-segment/1.0.1","providers-segment/1.0.1rc1","providers-segment/2.0.0","providers-segment/2.0.0rc1","providers-segment/2.0.0rc2","providers-sendgrid/1.0.0","providers-sendgrid/1.0.1","providers-sendgrid/1.0.1rc1","providers-sendgrid/1.0.2","providers-sendgrid/1.0.2rc1","providers-sendgrid/2.0.0","providers-sendgrid/2.0.0rc1","providers-sendgrid/2.0.0rc2","providers-sftp/1.0.0","providers-sftp/1.1.0","providers-sftp/1.1.0rc1","providers-sftp/1.1.1","providers-sftp/1.1.1rc1","providers-sftp/1.2.0","providers-sftp/1.2.0rc1","providers-sftp/2.0.0","providers-sftp/2.0.0rc1","providers-sftp/2.0.0rc2","providers-singularity/1.0.0","providers-singularity/1.0.1","providers-singularity/1.0.1rc1","providers-singularity/1.1.0","providers-singularity/1.1.0rc1","providers-singularity/2.0.0","providers-singularity/2.0.0rc1","providers-singularity/2.0.0rc2","providers-slack/1.0.0","providers-slack/2.0.0","providers-slack/2.0.0rc1","providers-slack/3.0.0","providers-slack/3.0.0rc1","providers-slack/4.0.0","providers-slack/4.0.0rc1","providers-slack/4.0.0rc2","providers-snowflake/1.0.0","providers-snowflake/1.1.0","providers-snowflake/1.1.0rc1","providers-snowflake/1.1.1","providers-snowflake/1.1.1rc1","providers-snowflake/1.1.1rc2","providers-snowflake/1.2.0","providers-snowflake/1.2.0rc1","providers-snowflake/1.3.0","providers-snowflake/1.3.0rc1","providers-snowflake/2.0.0","providers-snowflake/2.0.0rc1","providers-snowflake/2.0.0rc2","providers-snowflake/2.0.0rc3","providers-sqlite/1.0.0","providers-sqlite/1.0.1","providers-sqlite/1.0.1rc1","providers-sqlite/1.0.2","providers-sqlite/1.0.2rc1","providers-sqlite/2.0.0","providers-sqlite/2.0.0rc1","providers-sqlite/2.0.0rc2","providers-ssh/1.0.0","providers-ssh/1.1.0","providers-ssh/1.1.0rc1","providers-ssh/1.2.0","providers-ssh/1.2.0rc1","providers-ssh/1.3.0","providers-ssh/1.3.0rc1","providers-ssh/2.0.0","providers-ssh/2.0.0rc1","providers-ssh/2.0.0rc2","providers-tableau/1.0.0","providers-tableau/1.0.0rc1","providers-tableau/2.0.0","providers-tableau/2.0.0rc1","providers-tableau/2.0.0rc2","providers-telegram/1.0.0","providers-telegram/1.0.1","providers-telegram/1.0.1rc1","providers-telegram/1.0.2","providers-telegram/1.0.2rc1","providers-telegram/2.0.0","providers-telegram/2.0.0rc1","providers-telegram/2.0.0rc2","providers-trino/1.0.0","providers-trino/1.0.0rc1","providers-trino/2.0.0","providers-trino/2.0.0rc1","providers-trino/2.0.0rc2","providers-vertica/1.0.0","providers-vertica/1.0.1","providers-vertica/1.0.1rc1","providers-vertica/2.0.0","providers-vertica/2.0.0rc1","providers-vertica/2.0.0rc2","providers-yandex/1.0.0","providers-yandex/1.0.1","providers-yandex/1.0.1rc1","providers-yandex/2.0.0","providers-yandex/2.0.0rc1","providers-yandex/2.0.0rc2","providers-zendesk/1.0.0","providers-zendesk/1.0.1","providers-zendesk/1.0.1rc1","providers-zendesk/2.0.0","providers-zendesk/2.0.0rc1","providers-zendesk/2.0.0rc2","providers/1.0.0b2","providers/1.0.0rc1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-26559.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}