Cyber Resilience

CVE-2020-11978

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 17 July 2020

Published
17 July 2020
Modified
23 October 2025
KEV Added
18 January 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9427 99.9th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-11978 is a high-severity OS Command Injection (CWE-78) vulnerability in Apache Airflow. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).

Deeper analysis

CVE-2020-11978 is a remote code or command injection vulnerability present in Apache Airflow versions 1.10.10 and earlier. It resides in one of the example DAGs that ship with the product by default and stems from improper handling of untrusted input that is passed to operating-system commands, corresponding to CWE-78. The issue is absent when the configuration option load_examples is explicitly set to False.

Any authenticated user can exploit the flaw to execute arbitrary commands on the host running the Airflow worker or scheduler process, with privileges equivalent to that process. Successful exploitation therefore grants the attacker the ability to read, modify, or delete data and potentially pivot to other systems, depending on the executor configuration and the privileges of the Airflow service account.

Public advisories and exploit disclosures note that the sole recommended mitigation is to disable the example DAGs by setting load_examples=False in the Airflow configuration; no other configuration changes or patches are described for versions 1.10.10 and below. Multiple proof-of-concept exploits have been published that demonstrate unauthenticated-to-authenticated command execution against the vulnerable example DAG.

EU & UK References

Vulnerability details

An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user…

more

running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.

CWE(s)
KEV Date Added
18 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
airflow
≤ 1.10.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by enforcing least functionality and disabling the vulnerable example DAGs via load_examples=False.

prevent

Requires applying the exact configuration setting that removes the command-injection code path from the running Airflow instance.

prevent

Addresses the underlying CWE-78 flaw by mandating validation or sanitization of untrusted input before it reaches OS commands in any DAG.

References