Apache The Apache Software Foundation

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Apache product.

RSS Feeds for Apache security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Apache products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Apache Sorted by Most Security Vulnerabilities since 2018

Apache HTTP Server283 vulnerabilities

Apache Tomcat169 vulnerabilities
JEE Compliant Servlet Container

Apache AirFlow151 vulnerabilities

Apache Traffic Server73 vulnerabilities

Apache Superset68 vulnerabilities

Apache OpenOffice54 vulnerabilities

Apache ActiveMQ49 vulnerabilities

Apache NiFi45 vulnerabilities

Apache CXF43 vulnerabilities

Apache OFBiz43 vulnerabilities

Apache Solr42 vulnerabilities
Search engine written in java

Apache Struts37 vulnerabilities

Apache Camel35 vulnerabilities

Apache InLong32 vulnerabilities

Apache DolphinScheduler27 vulnerabilities

Apache CloudStack25 vulnerabilities

Apache JSPWiki24 vulnerabilities

Apache Tika24 vulnerabilities

Apache Hive23 vulnerabilities

Apache Kafka22 vulnerabilities

Apache Zeppelin22 vulnerabilities

Apache Openmeetings22 vulnerabilities

Apache Kylin21 vulnerabilities

Apache Hadoop21 vulnerabilities

Apache Spark21 vulnerabilities

Apache Plusar20 vulnerabilities

Apache Geode19 vulnerabilities

Apache Fineract19 vulnerabilities

Apache Linkis18 vulnerabilities

Apache Log4j18 vulnerabilities

Apache Iotdb18 vulnerabilities

Apache Streampark17 vulnerabilities

Apache Ambari17 vulnerabilities

Apache Shiro17 vulnerabilities

Apache Zookeeper17 vulnerabilities

Apache Hertzbeat16 vulnerabilities

Apache Cassandra16 vulnerabilities

Apache Activemq Artemis15 vulnerabilities

Apache Thrift15 vulnerabilities

Apache James15 vulnerabilities

Apache Syncope14 vulnerabilities

Apache JMeter14 vulnerabilities

Apache Guacamole13 vulnerabilities

Apache Apisix13 vulnerabilities

Apache Druid13 vulnerabilities

Apache Karaf12 vulnerabilities

Apache Archiva12 vulnerabilities

Apache Commons Compress12 vulnerabilities

Apache Subversion12 vulnerabilities

Apache Answer11 vulnerabilities

Apache Ozone11 vulnerabilities

Apache Ranger11 vulnerabilities

Apache Batik10 vulnerabilities

Apache Couchdb10 vulnerabilities

Apache Mesos9 vulnerabilities

Apache Storm9 vulnerabilities

Apache Pdfbox9 vulnerabilities

Apache Portable Runtime9 vulnerabilities

Apache Traffic Control8 vulnerabilities

Apache Ignite8 vulnerabilities

Apache Httpclient8 vulnerabilities

Apache Roller8 vulnerabilities

Apache Avro8 vulnerabilities

Apache Drill8 vulnerabilities

Apache Streampipes7 vulnerabilities

Apache Apr Util7 vulnerabilities

Apache Impala7 vulnerabilities

Apache Jena6 vulnerabilities

Apache Nuttx6 vulnerabilities

Apache Allura6 vulnerabilities

Apache Xerces C6 vulnerabilities

Apache Mina6 vulnerabilities

Apache Wicket6 vulnerabilities

Apache Brpc6 vulnerabilities

Apache Commons Fileupload6 vulnerabilities

Apache Doris6 vulnerabilities

Apache Poi5 vulnerabilities

Apache Arrow5 vulnerabilities

Apache Axis5 vulnerabilities

Apache Seata5 vulnerabilities

Apache Nimble5 vulnerabilities

Apache Commons Configuration5 vulnerabilities

Apache Groovy5 vulnerabilities

Apache Submarine5 vulnerabilities

Apache Kvrocks4 vulnerabilities

Apache Atlas4 vulnerabilities

Recent Apache Security Advisories

Advisory	Title	Published
2.4.66	5 Vulnerabilities Fixed in Apache HTTP Server 2.4.66	December 4, 2025
2.4.65	Vulnerability Fixed in Apache HTTP Server 2.4.65	July 23, 2025
2.4.64	8 Vulnerabilities Fixed in Apache HTTP Server 2.4.64	July 10, 2025
2.4.62	2 Vulnerabilities Fixed in Apache HTTP Server 2.4.62	July 17, 2024
2.4.61	Vulnerability Fixed in Apache HTTP Server 2.4.61	July 16, 2024
2.4.60	8 Vulnerabilities Fixed in Apache HTTP Server 2.4.60	July 15, 2024
2.4.59	3 Vulnerabilities Fixed in Apache HTTP Server 2.4.59	April 4, 2024
2.4.58	4 Vulnerabilities Fixed in Apache HTTP Server 2.4.58	October 19, 2023
2.4.56	2 Vulnerabilities Fixed in Apache HTTP Server 2.4.56	March 7, 2023
2.4.55	3 Vulnerabilities Fixed in Apache HTTP Server 2.4.55	January 17, 2023

Known Exploited Apache Vulnerabilities

The following Apache vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.

Title	Description	Added
Apache ActiveMQ Improper Input Validation Vulnerability	Apache ActiveMQ contains an improper input validation vulnerability that allows for code injection. CVE-2026-34197 Exploit Probability: 6.2%	April 16, 2026
Apache HTTP Server Improper Escaping of Output Vulnerability	Apache HTTP Server contains an improper escaping of output vulnerability in mod_rewrite that allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. CVE-2024-38475 Exploit Probability: 93.4%	May 1, 2025
Apache Tomcat Path Equivalence Vulnerability	Apache Tomcat contains a path equivalence vulnerability that allows a remote attacker to execute code, disclose information, or inject malicious content via a partial PUT request. CVE-2025-24813 Exploit Probability: 94.2%	April 1, 2025
Apache OFBiz Forced Browsing Vulnerability	Apache OFBiz contains a forced browsing vulnerability that allows a remote attacker to obtain unauthorized access. CVE-2024-45195 Exploit Probability: 94.1%	February 4, 2025
Apache HugeGraph-Server Improper Access Control Vulnerability	Apache HugeGraph-Server contains an improper access control vulnerability that could allow a remote attacker to execute arbitrary code. CVE-2024-27348 Exploit Probability: 94.3%	September 18, 2024
Apache OFBiz Incorrect Authorization Vulnerability	Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker. CVE-2024-38856 Exploit Probability: 94.4%	August 27, 2024
Apache OFBiz Path Traversal Vulnerability	Apache OFBiz contains a path traversal vulnerability that could allow for remote code execution. CVE-2024-32113 Exploit Probability: 94.0%	August 7, 2024
Apache Flink Improper Access Control Vulnerability	Apache Flink contains an improper access control vulnerability that allows an attacker to read any file on the local filesystem of the JobManager through its REST interface. CVE-2020-17519 Exploit Probability: 94.3%	May 23, 2024
Apache Superset Insecure Default Initialization of Resource Vulnerability	Apache Superset contains an insecure default initialization of a resource vulnerability that allows an attacker to authenticate and access unauthorized resources on installations that have not altered the default configured SECRET_KEY according to installation instructions. CVE-2023-27524 Exploit Probability: 84.1%	January 8, 2024
Apache ActiveMQ Deserialization of Untrusted Data Vulnerability	Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to run shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. CVE-2023-46604 Exploit Probability: 94.4%	November 2, 2023
Apache RocketMQ Command Execution Vulnerability	Several components of Apache RocketMQ, including NameServer, Broker, and Controller, are exposed to the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as or achieve the same effect by forging the RocketMQ protocol content. CVE-2023-33246 Exploit Probability: 94.4%	September 6, 2023
Apache Tomcat Remote Code Execution Vulnerability	Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This CVE exists because this listener wasn't updated for consistency with the Oracle patched issues for CVE-2016-3427 which affected credential types. CVE-2016-8735 Exploit Probability: 93.8%	May 12, 2023
Apache Log4j2 Deserialization of Untrusted Data Vulnerability	Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations. CVE-2021-45046 Exploit Probability: 94.3%	May 1, 2023
Apache Spark Command Injection Vulnerability	Apache Spark contains a command injection vulnerability via Spark User Interface (UI) when Access Control Lists (ACLs) are enabled. CVE-2022-33891 Exploit Probability: 93.5%	March 7, 2023
Apache APISIX Authentication Bypass Vulnerability	Apache APISIX contains an authentication bypass vulnerability that allows for remote code execution. CVE-2022-24112 Exploit Probability: 94.4%	August 25, 2022
Apache CouchDB Insecure Default Initialization of Resource Vulnerability	Apache CouchDB contains an insecure default initialization of resource vulnerability which can allow an attacker to escalate to administrative privileges. CVE-2022-24706 Exploit Probability: 94.4%	August 25, 2022
Apache Kylin OS Command Injection Vulnerability	Apache Kylin contains an OS command injection vulnerability which could permit an attacker to perform remote code execution. CVE-2020-1956 Exploit Probability: 93.9%	March 25, 2022
Apache Struts Improper Input Validation Vulnerability	Apache Struts allows remote attackers to execute arbitrary Object-Graph Navigation Language (OGNL) expressions. CVE-2013-2251 Exploit Probability: 94.3%	March 25, 2022
Apache Tomcat on Windows Remote Code Execution Vulnerability	When running Apache Tomcat on Windows with HTTP PUTs enabled, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. CVE-2017-12615 Exploit Probability: 94.2%	March 25, 2022
Apache Tomcat Remote Code Execution Vulnerability	When running Apache Tomcat, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. CVE-2017-12617 Exploit Probability: 94.4%	March 25, 2022

Of the known exploited vulnerabilities above, 19 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

Top 10 Riskiest Apache Vulnerabilities

Based on the current exploit probability, these Apache vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.

Rank	CVE	EPSS	Vulnerability
1	CVE-2019-17558	94.5%	Apache Solr 5.0.0-8.3.1 Remote Code Execution Vulnerability
2	CVE-2020-1938	94.5%	Apache Tomcat Improper Privilege Management Vulnerability
3	CVE-2022-24112	94.4%	Apache APISIX Authentication Bypass Vulnerability
4	CVE-2023-46604	94.4%	Apache ActiveMQ Deserialization of Untrusted Data Vulnerability
5	CVE-2021-40438	94.4%	Apache HTTP Server-Side Request Forgery (SSRF)
6	CVE-2018-11776	94.4%	Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16 Remote Code Execution Vulnerability
7	CVE-2021-42013	94.4%	Apache HTTP Server 2.4.49 and 2.4.50 Path Traversal
8	CVE-2021-41773	94.4%	Apache HTTP Server Path Traversal Vulnerability
9	CVE-2023-33246	94.4%	Apache RocketMQ Command Execution Vulnerability
10	CVE-2020-17530	94.4%	Apache Struts Forced OGNL Double Evaluation Remote Code Execution

By the Year

In 2026 there have been 152 vulnerabilities in Apache with an average score of 7.2 out of ten. Last year, in 2025 Apache had 229 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Apache in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.04

Year	Vulnerabilities	Average Score
2026	152	7.25
2025	229	7.29
2024	275	7.46
2023	274	7.47
2022	228	7.63
2021	212	7.61
2020	160	7.61
2019	163	7.34
2018	155	7.24

It may take a day or so for new Apache vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Apache Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-41873	Apr 28, 2026	HTTP Request/Response Smuggling Enables Admin Takeover in Pony Mail Lua UNSUPPORTED WHEN ASSIGNED Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Pony Mail leading to admin account takeover. This issue affects all versions of the Lua implementation of Pony Mail. There is a Python implementation under development under the name "Pony Mail Foal" that is not affected by this issue, but hasn't been released yet. As the Lua implementation of this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2026-41636	Apr 28, 2026	Uncontrolled Recursion Exposed in Apache Thrift Node.js Bindings <0.23.0 Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.	Thrift
CVE-2026-41607	Apr 28, 2026	OOB Read Vulnerability in Apache Thrift before 0.23.0 Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.	Thrift
CVE-2026-41606	Apr 28, 2026	Apache Thrift <0.23.0: Uncontrolled Recursion Vulnerability Uncontrolled Recursion vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.	Thrift
CVE-2026-41605	Apr 28, 2026	Apache Thrift Int Overflow or Wraparound <0.23.0; Fixed 0.23.0 Integer Overflow or Wraparound vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.	Thrift
CVE-2026-41604	Apr 28, 2026	CVE-2026-41604: OOB Read in Apache Thrift < 0.23.0 Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.	Thrift
CVE-2026-41603	Apr 28, 2026	Apache Thrift CVE-2026-41603: Improper Cert Host Mismatch Before 0.23.0 Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.	Thrift
CVE-2026-41602	Apr 28, 2026	Apache Thrift Go TFramedTransport Integer Overflow (<0.23.0) Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.	Thrift
CVE-2025-48431	Apr 28, 2026	Apache Thrift 0.23+ Mismatched Memory Mgmt Routines Vulnerability Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. Description: Specially crafted requests can crash an c_glib-based Thrift server with a clean but fatal "free(): invalid pointer" error message.	Thrift
CVE-2026-40557	Apr 27, 2026	Apache Storm Prometheus Reporter TLS Downgrade 2.6.3-2.8.6 Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter Versions Affected: from 2.6.3 to 2.8.6 Description: In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon. The PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration PrometheusPreparableReporter.prepare() INSECURE_CONNECTION_FACTORY SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials. Mitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate.
CVE-2026-41081	Apr 27, 2026	Apache Storm TLS Client Auth Fail-Open (2.8.7) Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTransportPlugin assigns a fallback principal (CN=ANONYMOUS) if no client certificate is presented or if certificate verification fails. The underlying SSLPeerUnverifiedException is caught and suppressed rather than rejecting the connection. This fail-open behavior means an unauthenticated client can establish a TLS connection and receive a valid principal identity. If the configured authorizer (e.g., SimpleACLAuthorizer) does not explicitly deny access to CN=ANONYMOUS, this may result in unauthorized access to Storm services. The condition is logged at debug level only, reducing visibility in production. Impact: Unauthenticated clients may be assigned a principal identity, potentially bypassing authorization in permissive or misconfigured environments. Mitigation: Users should upgrade to 2.8.7 in which TLS authentication failures are handled in a fail-closed manner. Users who cannot upgrade immediately should: - Enable mandatory client certificate authentication (nimbus.thrift.tls.client.auth.required: true) - Ensure authorization rules explicitly deny access to CN=ANONYMOUS - Review all ACL configurations for implicit default-allow behavior
CVE-2026-27172	Apr 27, 2026	Apache Camel 4.14.x Vulnerable ConsulRegistry: Deserialization RCE The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method) read Java-serialized values from the Consul KV store and passed them to ObjectInputStream.readObject() without configuring an ObjectInputFilter. An attacker who can write to the Consul KV store backing a Camel ConsulRegistry instance could inject a malicious serialized Java object that is deserialized the next time Camel performs a lookup against that registry, leading to arbitrary code execution in the Camel process. The issue mirrors the class of vulnerability already addressed for other Camel components in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747, and was overlooked during the original remediation of those CVEs. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.1.	Camel
CVE-2026-33453	Apr 27, 2026	Apache Camel CoAP component RCE via header injection (4.14.04.18.0) Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is vulnerable to Camel message header injection, leading to remote code execution when routes forward CoAP requests to header-sensitive producers (e.g. camel-exec) The camel-coap component maps incoming CoAP request URI query parameters directly into Camel Exchange In message headers without applying any HeaderFilterStrategy. Specifically, CamelCoapResource.handleRequest() iterates over OptionSet.getUriQuery() and calls camelExchange.getIn().setHeader(...) for every query parameter. CoAPEndpoint extends DefaultEndpoint rather than DefaultHeaderFilterStrategyEndpoint, and CoAPComponent does not implement HeaderFilterStrategyComponent; the component contains no references to HeaderFilterStrategy at all. As a result, an unauthenticated attacker who can send a single CoAP UDP packet to a Camel route consuming from coap:// can inject arbitrary Camel internal headers (those prefixed with Camel*) into the Exchange. When the route delivers the message to a header-sensitive producer such as camel-exec, camel-sql, camel-bean, camel-file, or template components (camel-freemarker, camel-velocity), the injected headers can alter the producer's behavior. In the case of camel-exec, the CamelExecCommandExecutable and CamelExecCommandArgs headers override the executable and arguments configured on the endpoint, resulting in arbitrary OS command execution under the privileges of the Camel process. The producer's output is written back to the Exchange body and returned in the CoAP response payload by CamelCoapResource, giving the attacker an interactive RCE channel without any need for out-of-band exfiltration. Exploitation prerequisites are minimal: a single unauthenticated UDP datagram to the CoAP port (default 5683). CoAP (RFC 7252) has no built-in authentication, and DTLS is optional and disabled by default. Because the protocol is UDP-based, HTTP-layer WAF/IDS controls do not apply. This issue affects Apache Camel: from 4.14.0 through 4.14.5, from 4.18.0 before 4.18.1, 4.19.0. Users are recommended to upgrade to version 4.18.1 or 4.19.0, fixing the issue.	Camel
CVE-2026-33454	Apr 27, 2026	Apache Camel Mail Header Injection via camel-mail (3.04.18.1) The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via setInFilterStartsWith. As a result, when a Camel application consumes mail through camel-mail (for example via from(\"imap://...\") or from(\"pop3://...\")) the inbound filter check is skipped and Camel-prefixed MIME headers are mapped unfiltered into the Exchange. An attacker who can deliver an email to a mailbox monitored by such a consumer can inject Camel-specific headers that, for some Camel components downstream of the mail consumer (such as camel-bean, camel-exec, or camel-sql), can alter the behaviour of the route. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177) and the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.1. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6.	Camel
CVE-2026-40022	Apr 27, 2026	Apache Camel 4.14.x/4.18.x Auth Path Bypass in camel-platform-http-main When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server (camel-platform-http-main) and a non-root context path such as /api or /admin is configured via camel.server.path or camel.management.path, the BasicAuthenticationConfigurer and JWTAuthenticationConfigurer classes derive the authentication path from properties.getPath() when camel.server.authenticationPath / camel.management.authenticationPath is not explicitly set. Combined with the Vert.x sub-router mounting model - the sub-router is mounted at _path_* and the authentication handler is registered inside the sub-router at the resolved path - this causes the authentication handler to match only the exact configured context path, not its subpaths. Unauthenticated requests to subpaths such as /api/_route_ or /admin/observe/info therefore reach protected business routes and management endpoints without being challenged for credentials. The /observe/info endpoint can disclose runtime metadata such as the user, working directory, home directory, process ID, JVM and operating system information. This issue affects Apache Camel: from 4.14.1 before 4.14.6, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, they are suggested to upgrade to 4.14.6. If users are on the 4.18.x LTS releases stream, they are suggested to upgrade to 4.18.2.	Camel
CVE-2026-40858	Apr 27, 2026	Apache Camel infinispan ProtoStream deserialization RCE before 4.20.0 The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInputStream without applying any ObjectInputFilter. An attacker who can write to the Infinispan cache used by a Camel application can inject a crafted serialized Java object that, when read during normal aggregation repository operations such as get or recover, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2. The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23322 refers to the various commits that resolved the issue, and have more details. This issue follows the same class of vulnerability previously addressed in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747.	Camel
CVE-2026-41409	Apr 27, 2026	Apache MINA 2.x insecure deserialization via IoBuffer.getObject() (before 2.0.28) The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade	Mina
CVE-2026-41635	Apr 27, 2026	Apache MINA IoBuffer Class Allowlist Bypass (v2.0.0-2.2.5) Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in the accepted class filter before calling Class.forName(). Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade.	Mina
CVE-2026-40453	Apr 27, 2026	Apache Camel RCE via HeaderFilterStrategy Injection (pre-4.20.0) The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith('Camel'/'camel') filtering while the Camel Exchange stores headers in a case-insensitive map, an attacker with JMS (or equivalent) producer access to the broker consumed by a Camel route can inject case-variant Camel internal headers, which are then resolved by downstream components such as camel-exec and camel-file using their canonical casing. This enables remote code execution and arbitrary file write on routes that forward JMS messages to header-driven components. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.	Camel
CVE-2026-40860	Apr 27, 2026	Apache Camel JmsBinding Deserialization RCE before 4.20.0 JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is reached whenever the mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer, an attacker able to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application could achieve remote code execution when a deserialization gadget chain was present on the classpath. The same handling was reached transitively through camel-sjms2 (whose Sjms2Endpoint extends SjmsEndpoint) and through camel-amqp (whose AMQPJmsBinding extends JmsBinding), and by other JMS-family components built on JmsComponent such as camel-activemq and camel-activemq6. This issue affects Apache Camel: from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.	Camel
CVE-2026-40048	Apr 27, 2026	Apache Camel 4.19.0-4.20.0 RCE via unfiltered deserialization in FBKLM The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2.	Camel
CVE-2026-40473	Apr 27, 2026	Apache Camel camel-mina ObjIn type conv flaw before 4.20.0 The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject(). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.	Camel
CVE-2026-38743	Apr 24, 2026	Apache Airflow 3.2.* per-DAG RBAC bypass via /ui/dags (CVE-2026-38743) The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts (including their request parameters) and full TaskInstance details for DAGs outside their authorized scope. Because HITL prompts and TaskInstance fields routinely carry operator parameters and free-form context attached to a task, the leak widens visibility of DAG-run data beyond the intended per-DAG RBAC boundary for every authenticated user. Users are recommended to upgrade to version 3.2.1 , which fixes this issue.	AirFlow
CVE-2026-40690	Apr 24, 2026	Apache Airflow 3.2.1 DepGraph info leak via DAG read perms The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope. Users are recommended to upgrade to version 3.2.1, which fixes this issue.	AirFlow
CVE-2026-23902	Apr 24, 2026	Apache DolphinScheduler <3.4.1 Auth Bypass: Tenant Hijack Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution. This issue affects Apache DolphinScheduler versions prior to 3.4.1. Users are recommended to upgrade to version 3.4.1, which fixes this issue.	DolphinScheduler
CVE-2025-62233	Apr 24, 2026	Deserialization Vulnerability in Apache DolphinScheduler RPC (3.2.0-<3.3.1) Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module. This issue affects Apache DolphinScheduler: Version >= 3.2.0 and < 3.3.1. Attackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest, injecting a malicious class type into it, and sending RPC requests to the DolphinScheduler Master/Worker nodes. Users are recommended to upgrade to version [3.3.1], which fixes the issue.	DolphinScheduler
CVE-2026-41044	Apr 24, 2026	Apache ActiveMQ code injection via admin console broker name pre 5.19.6/6.2.5 Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation to include an xbean binding that can be later used by a VM transport to load a remote Spring XML application. The attacker can then use the DestinationView mbean to send a message to trigger a VM transport creation that will reference this malicious broker name which can lead to loading the malicious Spring XML context file. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.	ActiveMQ
CVE-2026-41043	Apr 24, 2026	Apache ActiveMQ Web Basic XSS Fixed in 5.19.6/6.2.5 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. An authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead of XML) and by injecting HTML into a JMS selector field. This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Web: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.	ActiveMQ
CVE-2026-40466	Apr 24, 2026	Apache ActiveMQ Broker <5.19.6/6.2.5: Code Injection via HTTP Disc Connector Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery transport via BrokerView.addNetworkConnector or BrokerView.addConnector through Jolokia if the activemq-http module is on the classpath. A malicious HTTP endpoint can return a VM transport through the HTTP URI which will bypass the validation added in CVE-2026-34197. The attacker can then use the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 5.19.6 or 6.2.5, which fixes the issue.	ActiveMQ
CVE-2026-40542	Apr 22, 2026	Apache HttpClient 5.6 Auth Bypass SCRAM-SHA-256 (CVE-2026-40542) Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.	Httpclient
CVE-2026-33557	Apr 20, 2026	Apache Kafka 4.1.0/4.1.1: JWT Validator accepts unsigned tokens A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature, issuer, or audience. An attacker can generate a JWT token from any issuer with the `preferred_username` set to any user, and the broker will accept it. We advise the Kafka users using kafka v4.1.0 or v4.1.1 to set the config `sasl.oauthbearer.jwt.validator.class` to `org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator` explicitly to avoid this vulnerability. Since Kafka v4.1.2 and v4.2.0 and later, the issue is fixed and will correctly validate the JWT token.	Kafka
CVE-2025-66335	Apr 20, 2026	Apache Doris MCP Server <0.6.1: SQL Injection via Improper Query Neutralization Apache Doris MCP Server versions earlier than 0.6.1 are affected by an improper neutralization flaw in query context handling that may allow execution of unintended SQL statements and bypass of intended query validation and access restrictions through the MCP query execution interface. Version 0.6.1 and later are not affected.
CVE-2026-33558	Apr 20, 2026	Apache Kafka Info Exposure via NetworkClient DEBUG Logs before 3.9.2/4.0.1 Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information will be exposed via the requests and responses output log. The entire lists of impacted requests and responses are: * AlterConfigsRequest * AlterUserScramCredentialsRequest * ExpireDelegationTokenRequest * IncrementalAlterConfigsRequest * RenewDelegationTokenRequest * SaslAuthenticateRequest * createDelegationTokenResponse * describeDelegationTokenResponse * SaslAuthenticateResponse This issue affects Apache Kafka: from any version supported the listed API above through v3.9.1, v4.0.0. We advise the Kafka users to upgrade to v3.9.2, v4.0.1, or later to avoid this vulnerability.	Kafka
CVE-2026-40948	Apr 18, 2026	Keycloak Auth in apache-airflow-providers-keycloak: CSRF, no state/PKCE (<0.7.0) The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's browser and cause the victim to be logged into the attacker's Airflow session (login-CSRF / session fixation), where any credentials the victim subsequently stored in Airflow Connections would be harvestable by the attacker. Users are advised to upgrade `apache-airflow-providers-keycloak` to 0.7.0 or later.	AirFlow
CVE-2026-32690	Apr 18, 2026	Apache Airflow <3.2 Secrets in JSON Variables not redacted Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented	AirFlow
CVE-2026-30898	Apr 18, 2026	Apache Airflow BashOperator unsanitized dag_run.conf leads to code exec An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should review if any of their own DAGs have adopted this incorrect advice.	AirFlow
CVE-2026-30912	Apr 18, 2026	SQL Error Stack Trace Exposed in Apache Airflow API (pre-3.2.0) In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.	AirFlow
CVE-2026-25917	Apr 18, 2026	Apache Airflow: RCE via XCom by DAG Authors (before 3.2.0) Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.	AirFlow
CVE-2026-32228	Apr 18, 2026	Airflow v3.2.0 Fix: UI/API Dags Access Control Vulnerability UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.	AirFlow
CVE-2026-31987	Apr 16, 2026	Apache Airflow <3.2: JWT logs expose Dag authors (CVE-2026-31987) JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue.	AirFlow
CVE-2026-25219	Apr 15, 2026	Airflow <3.2.0: Unmasked conn_key/conn_string expose secrets The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidentaly logged to logs, those values could be seen in the logs. Azure Service Bus used those properties to store sensitive values. Possibly other providers could be also affected if they used the same fields to store sensitive data. If you used Azure Service Bus connection with those values set or if you have other connections with those values storing sensitve values, you should upgrade Airflow to 3.1.8	AirFlow
CVE-2026-30778	Apr 15, 2026	Apache SkyWalking OAP /debugging/config/dump Config Leak <=10.3.0 The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recommended to upgrade to version 10.4.0, which fixes the issue.
CVE-2025-54550	Apr 15, 2026	Apache Airflow 3.2 Unsafe XCom Pattern (CVE-2025-54550) The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of code on the worker. Since the UI users are already highly trusted, this is a Low severity vulnerability. It does not affect Airflow release - example_dags are not supposed to be enabled in production environment, however users following the example could replicate the bad pattern. Documentation of Airflow 3.2.0 contains version of the example with improved resiliance for that case. Users who followed that pattern are advised to adjust their implementations accordingly.	AirFlow
CVE-2026-31923	Apr 14, 2026	Apache APISIX Cleartext Transmission in OIDC Plugin 0.7-3.15.0 Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default. This issue affects Apache APISIX: from 0.7 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.	Apisix
CVE-2026-33929	Apr 14, 2026	Apache PDFBox Path Traversal CVE-2026-33929 ExtractEmbeddedFiles v2.0.37/3.0.8 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples. This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7. Users are recommended to update to version 2.0.37 or 3.0.8 once available. Until then, they should apply the fix provided in GitHub PR 427. The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF". Users who have copied this example into their production code should apply the mentioned change. The example has been changed accordingly and is available in the project repository.
CVE-2026-31924	Apr 14, 2026	C2S: Apache APISIX Cleartext HTTP Data Transfer (Logs) < 3.16.0 Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.	Apisix
CVE-2026-31908	Apr 14, 2026	Apache APISIX Header Injection via forward-auth plugin 2.12.0-3.15.0 Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers. This issue affects Apache APISIX: from 2.12.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.	Apisix
CVE-2026-33858	Apr 13, 2026	Apache Airflow 3.2.0: XCom payload enables DAG-author code exec Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0, which resolves this issue.	AirFlow
CVE-2025-66236	Apr 13, 2026	Airflow<3.2: Ambiguous Security Model & JWT Auth, Upgrade Required Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enough, even though Airflow's intentions and security model of Airflow did not suggest different assumptions. The overall security model [1], workload isolation [2], and JWT authentication details [3] are now described in more detail. Users concerned with role isolation and following the Airflow security model of Airflow are advised to upgrade to Airflow 3.2, where several security improvements have been implemented. They should also read and follow the relevant documents to make sure that their deployment is secure enough. It also clarifies that the Deployment Manager is ultimately responsible for securing your Airflow deployment. This had also been communicated via Airflow 3.2.0 Blog announcement [4]. [1] Security Model: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html [2] Workload isolation: https://airflow.apache.org/docs/apache-airflow/stable/security/workload.html [3] JWT Token authentication: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html [4] Airflow 3.2.0 Blog announcement: https://airflow.apache.org/blog/airflow-3.2.0/ Users are recommended to upgrade to version 3.2.0, which fixes this issue.	AirFlow
CVE-2026-34476	Apr 13, 2026	SSRF via SW-URL Header in Apache SkyWalking MCP 0.1.0 (fixed in 0.2.0) Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking MCP. This issue affects Apache SkyWalking MCP: 0.1.0. Users are recommended to upgrade to version 0.2.0, which fixes this issue.