Apache Airflow 1.10.10 Remote Code Execution (CVE-2020-13927)
Overview
Apache Airflow 1.10.10 Remote Code Execution, tracked as CVE-2020-13927, affects Apache Airflow deployments that expose the Experimental API with unsafe default authentication behavior. The issue is rooted in access control rather than a low-level memory corruption bug.
Vulnerability Overview
CVE-2020-13927 exists because older Airflow Experimental API defaults allowed API requests without authentication. From Airflow 1.10.11, the default behavior was changed to deny API requests unless authentication is explicitly configured.
In vulnerable deployments, unauthenticated access to workflow-control APIs can allow attackers to interact with Airflow in ways that were intended only for trusted users or automation.
Impact
The vulnerability is rated Critical with a CVSS 3.1 score of 9.8. Successful exploitation can allow a remote unauthenticated attacker to affect workflow execution, access sensitive orchestration behavior, and reach remote code execution paths depending on how DAGs and workers are configured.
CVE-2020-13927 is listed in CISA KEV, so exposed Airflow 1.10.x environments should be treated as high-priority findings.
Vulnerability Scope
NVD lists Apache Airflow versions before 1.10.11 as affected. Existing Airflow installations need configuration review because upgrading defaults alone may not automatically change previously deployed auth_backend settings.
The practical exposure is highest when the Airflow webserver or Experimental API is reachable from untrusted networks and workflow execution has access to sensitive systems, credentials, or infrastructure automation.
Lab Focus
This Hackviser lab focuses on understanding how insecure API defaults can become remote code execution risk in workflow orchestration platforms. You will practice identifying unsafe Airflow API exposure, reading version and configuration scope, and connecting orchestration access to infrastructure impact.