oss-security - CVE-2026-32794: Apache Airflow Provider for Databricks: TLS Certificate Verification Disabled in Databricks Provider K8s Token Exchange

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <a984d919-5f4c-2f56-8c9b-7a3a07c87368@apache.org>
Date: Mon, 30 Mar 2026 21:39:53 +0000
From: Jens Scheffler <jscheffl@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-32794: Apache Airflow Provider for Databricks: TLS
 Certificate Verification Disabled in Databricks Provider K8s Token
 Exchange 

Severity: low 

Affected versions:

- Apache Airflow Provider for Databricks (apache-airflow-providers-databricks) 1.10.0 before 1.12.0

Description:

Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider code did not validate certificates for connections to Databricks back-end which could result in a man-of-a-middle attack that traffic is intercepted and manipulated or credentials exfiltrated w/o notice.

This issue affects Apache Airflow Provider for Databricks: from 1.10.0 before 1.12.0.

Users are recommended to upgrade to version 1.12.0, which fixes the issue.

Credit:

Kai Aizen (reporter)
Marcin Wojtyczka (remediation developer)

References:

https://github.com/apache/airflow/pull/63704
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-32794

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.