SCA: security update for apache-airflow (GHSA-j86x-fwp2-qh7v)

medium Tenable Self-Hosted Container Security Plugin ID 440427

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to
take appropriate actions and pay attention to security details and security model of Airflow. Some
assumptions the Deployment Manager could make were not clear or explicit enough, even though Airflow's
intentions and security model of Airflow did not suggest different assumptions. The overall security model
[1], workload isolation [2], and JWT authentication details [3] are now described in more detail. Users
concerned with role isolation and following the Airflow security model of Airflow are advised to upgrade
to Airflow 3.2, where several security improvements have been implemented. They should also read and
follow the relevant documents to make sure that their deployment is secure enough. It also clarifies that
the Deployment Manager is ultimately responsible for securing your Airflow deployment. This had also been
communicated via Airflow 3.2.0 Blog announcement [4]. [1] Security Model:
https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html [2] Workload
isolation: https://airflow.apache.org/docs/apache-airflow/stable/security/workload.html [3] JWT Token
authentication: https://airflow.apache.org/docs/apache-
airflow/stable/security/jwt_token_authentication.html [4] Airflow 3.2.0 Blog announcement:
https://airflow.apache.org/blog/airflow-3.2.0/ Users are recommended to upgrade to version 3.2.0, which
fixes this issue. (CVE-2025-66236)

Solution

Update the apache-airflow library and its related packages to version 3.2.0 or later.

See Also

https://github.com/advisories/GHSA-j86x-fwp2-qh7v

Plugin Details

Severity: Medium

ID: 440427

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 4/15/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.39

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2025-66236

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.3

Threat Score: 1.3

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/13/2026

Vulnerability Publication Date: 4/13/2026

Reference Information

CVE: CVE-2025-66236

cwe: CWE-532