Apache Airflow Experimental API Auth Bypass CVE-2020-13927
Description
Apache Airflow is an open-source workflow management platform for data engineering pipelines.
CVE-2020-13927 is an authentication bypass vulnerability affecting the Experimental API in Apache Airflow. This vulnerability allows unauthenticated remote attackers to access API endpoints that should require authentication, enabling them to execute administrative operations without providing credentials. The issue stems from improper authentication enforcement in the experimental API module, which was designed for trusted network environments but may be exposed to untrusted networks in certain deployments.
Remediation
Take the following steps to remediate this vulnerability:
1. Upgrade Apache Airflow to version 1.10.11 or later, which includes a fix for CVE-2020-13927
2. Disable the Experimental API if not required by setting the following in your airflow.cfg:
[api] enable_experimental_api = False
3. Implement network-level access controls to restrict Airflow access to trusted networks only. Configure firewall rules or security groups to limit exposure
4. Enable authentication for all API endpoints if the Experimental API must remain active. Configure one of the supported authentication backends in airflow.cfg
5. Migrate to the stable REST API (available in Airflow 2.0+) which has proper authentication and authorization controls built-in
6. Verify the fix by attempting to access experimental API endpoints without credentials - requests should be rejected with authentication errors