{"schema_version": "1.6.1", "id": "CVE-2021-26697", "summary": "Apache Airflow: Lineage API endpoint for Experimental API missed authentication check", "details": "The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint.\n\nThis is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task.\n\nThis issue affects Apache Airflow 2.0.0.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "2.0.0"}, {"last_affected": "2.0.0"}]}]}], "references": [{"type": "ADVISORY", "url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cusers.airflow.apache.org%3E"}]}