{"schema_version": "1.6.1", "id": "CVE-2021-26559", "summary": "CWE-284 Improper Access Control on Configurations Endpoint for the Stable API", "details": "Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. \n\nThis allowed a privilege escalation attack.\n\nThis issue affects Apache Airflow 2.0.0.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "2.0.0"}, {"last_affected": "2.0.0"}]}]}], "references": [{"type": "ADVISORY", "url": "https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E"}]}