Apache Airflow Configuration File Detected

medium Web App Scanning Plugin ID 115131

Language:

Synopsis

Apache Airflow Configuration File Detected

Description

Apache Airflow is an open-source platform to programmatically author, schedule, and monitor workflows. By default, Apache Airflow uses a configuration file named airflow.cfg to store its configuration settings.

If an attacker can access the airflow.cfg file, they may be able to gather sensitive information about the Airflow instance, such as database connection details, authentication credentials, and other configuration settings.

Solution

Ensure that the configuration file is not deployed with the application or, at least, is not exposed in a web server directory by setting proper permissions on it.

See Also

https://airflow.apache.org/docs/apache-airflow/stable/howto/set-config.html

Plugin Details

Severity: Medium

ID: 115131

Type: remote

Family: Data Exposure

Published: 2/11/2026

Updated: 2/11/2026

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 538

OWASP: 2010-A6, 2013-A5, 2017-A6, 2021-A1, 2025-A1

WASC: Predictable Resource Location

CAPEC: 95

DISA STIG: APSC-DV-002480

HIPAA: 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3

OWASP API: 2019-API3, 2019-API7, 2023-API3, 2023-API8

PCI-DSS: 3.2-2.2