Cyber Resilience

CVE-2020-13927

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 10 November 2020

Published
10 November 2020
Modified
23 October 2025
KEV Added
18 January 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9410 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-13927 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Airflow. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

The vulnerability in CVE-2020-13927 is a missing authentication requirement in the default configuration of Apache Airflow's Experimental API. Prior to version 1.10.11, the API accepted all requests without any authentication backend enabled, exposing the component to unauthenticated access by default on new and existing installations.

An attacker with network access to the Airflow instance can send arbitrary requests to the Experimental API endpoints. This can result in full compromise of the Airflow deployment, including the ability to execute code remotely, as demonstrated by multiple public exploit proofs-of-concept targeting version 1.10.10.

The Apache Airflow project addressed the issue by changing the default setting in 1.10.11 to deny_all requests, documented in the security guide and the 1.10.11 UPDATING.md file. Existing deployments must explicitly configure `[api] auth_backend = airflow.api.auth.backend.deny_all` to apply the fix.

Public exploit code for remote code execution against vulnerable versions has been published on Packet Storm, confirming the issue's practical exploitability.

EU & UK References

Vulnerability details

The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by…

more

default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default

CWE(s)
KEV Date Added
18 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
airflow
≤ 1.10.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication on Experimental API endpoints before any request is accepted, eliminating the unauthenticated default.

prevent

Requires identification and authentication for non-organizational users accessing the API, closing the missing-authentication gap.

prevent

Mandates explicit configuration of [api] auth_backend = deny_all so the secure default is applied on existing deployments.

References