CVE-2024-56373
Published: 24 February 2026
Summary
CVE-2024-56373 is a high-severity Code Injection (CWE-94) vulnerability in Apache Airflow. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires identification, reporting, and correction of flaws like CVE-2024-56373 through upgrades to Airflow 3 or disabling log template history as recommended.
Prohibits or restricts unnecessary functionality such as log template history to eliminate the vector for code injection via database manipulation.
Validates database inputs for log template history fields to block arbitrary code injection that executes during webserver rendering of historical task logs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Code injection in public-facing Airflow web server enables RCE beyond attacker privileges via log template history.
NVD Description
DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote…
more
code execution in the context of web-server (server-side) as a result of a user viewing historical task information. The functionality responsible for that (log template history) has been disabled by default in 2.11.1 and users should upgrade to Airflow 3 if they want to continue to use log template history. They can also manually modify historical log file names if they want to see historical logs that were generated before the last log template change.
Deeper analysisAI
CVE-2024-56373 is a code injection vulnerability (CWE-94) affecting Apache Airflow 2, specifically in the web-server component. A DAG Author with existing high-level permissions can manipulate the Airflow database to inject arbitrary code that executes in the web-server context when another user views historical task information via the log template history functionality. This flaw, scored at CVSS 8.4 (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H), enables server-side remote code execution beyond the attacker's normal privileges.
The attack requires a DAG Author (high-privilege user) to first alter the database entries related to log template history. Exploitation occurs when any user with access to the web interface views the affected historical task logs, triggering the injected code in the web-server process. Successful exploitation grants the attacker high confidentiality, integrity, and availability impact within the elevated scope of the web-server.
Apache Airflow advisories recommend disabling the log template history functionality, which is now off by default in version 2.11.1. Users wishing to retain this feature should upgrade to Airflow 3. Alternatively, administrators can manually rename historical log files generated before the last template change to view them without risk. Relevant patches and discussions are detailed in the associated GitHub pull request and security mailing lists.
Details
- CWE(s)