{"package":"apache-airflow-core","ecosystem":"conda","latest_version":"3.1.8","description":"Core packages for Apache Airflow, schedule and API server","license":"MIT AND BSD-3-Clause AND BSD-2-Clause AND Apache-2.0","license_risk":"permissive","commercial_use_notes":"Permissive: commercial closed-source use OK; preserve the copyright notice.","homepage":"http://airflow.apache.org","repository":"https://github.com/apache/airflow","downloads_weekly":623,"health":{"score":42,"risk":"high","breakdown":{"maintenance":20,"popularity":3,"security":8,"maturity":9,"community":2},"deprecated":false,"max_score":100},"vulnerabilities":{"count":4,"critical":1,"high":1,"medium":1,"low":1,"details":[{"vuln_id":"BIT-airflow-2026-25917","severity":"critical","summary":"Apache Airflow allows code execution through crafted XCom payloads","affected_versions":"<3.2.0|=3.0.0|=3.0.0rc1|=3.0.0rc1.post1|=3.0.0rc1.post2|=3.0.0rc1.post3|=3.0.0rc1.post4|=3.0.0rc2|=3.0.0rc3|=3.0.0rc4|=3.0.1|=3.0.1rc1|=3.0.2|=3.0.2rc1|=3.0.2rc2|=3.0.3|=3.0.3rc1|=3.0.3rc2|=3.0.3rc3|=3.0.3rc4|=3.0.3rc5|=3.0.3rc6|=3.0.4|=3.0.4rc1|=3.0.4rc2|=3.0.5|=3.0.5rc1|=3.0.5rc2|=3.0.5rc3|=3.0.6|=3.0.6rc1|=3.0.6rc2|=3.1.0|=3.1.0b1|=3.1.0b2|=3.1.0rc1|=3.1.0rc2|=3.1.1|=3.1.1rc1|=3.1.1rc2|=3.1.2|=3.1.2rc1|=3.1.2rc2|=3.1.3|=3.1.3rc1|=3.1.4|=3.1.4rc1|=3.1.4rc2|=3.1.5|=3.1.5rc1|=3.1.6|=3.1.6rc1|=3.1.7|=3.1.7rc1|=3.1.7rc2|=3.1.8|=3.1.8rc1|=3.1.8rc2|=3.2.0b1|=3.2.0b2|=3.2.0rc1|=3.2.0rc2","fixed_version":"3.2.0","source":"osv","published_at":"2026-04-18T09:30:20Z"},{"vuln_id":"BIT-airflow-2026-32228","severity":"high","summary":"Apache Airflow allows users with asset materialize permissions to trigger DAGs outside of their permissions","affected_versions":">=3.0.0,<3.2.0|=3.0.0|=3.0.1|=3.0.1rc1|=3.0.2|=3.0.2rc1|=3.0.2rc2|=3.0.3|=3.0.3rc1|=3.0.3rc2|=3.0.3rc3|=3.0.3rc4|=3.0.3rc5|=3.0.3rc6|=3.0.4|=3.0.4rc1|=3.0.4rc2|=3.0.5|=3.0.5rc1|=3.0.5rc2|=3.0.5rc3|=3.0.6|=3.0.6rc1|=3.0.6rc2|=3.1.0|=3.1.0b1|=3.1.0b2|=3.1.0rc1|=3.1.0rc2|=3.1.1|=3.1.1rc1|=3.1.1rc2|=3.1.2|=3.1.2rc1|=3.1.2rc2|=3.1.3|=3.1.3rc1|=3.1.4|=3.1.4rc1|=3.1.4rc2|=3.1.5|=3.1.5rc1|=3.1.6|=3.1.6rc1|=3.1.7|=3.1.7rc1|=3.1.7rc2|=3.1.8|=3.1.8rc1|=3.1.8rc2|=3.2.0b1|=3.2.0b2|=3.2.0rc1|=3.2.0rc2","fixed_version":"3.2.0","source":"osv","published_at":"2026-04-18T09:30:20Z"},{"vuln_id":"BIT-airflow-2026-30912","severity":"medium","summary":"Apache Airflow exposes SQL stack trace despite \"api/expose_stack_traces\" set to false","affected_versions":"<3.2.0|=3.0.0|=3.0.0rc1|=3.0.0rc1.post1|=3.0.0rc1.post2|=3.0.0rc1.post3|=3.0.0rc1.post4|=3.0.0rc2|=3.0.0rc3|=3.0.0rc4|=3.0.1|=3.0.1rc1|=3.0.2|=3.0.2rc1|=3.0.2rc2|=3.0.3|=3.0.3rc1|=3.0.3rc2|=3.0.3rc3|=3.0.3rc4|=3.0.3rc5|=3.0.3rc6|=3.0.4|=3.0.4rc1|=3.0.4rc2|=3.0.5|=3.0.5rc1|=3.0.5rc2|=3.0.5rc3|=3.0.6|=3.0.6rc1|=3.0.6rc2|=3.1.0|=3.1.0b1|=3.1.0b2|=3.1.0rc1|=3.1.0rc2|=3.1.1|=3.1.1rc1|=3.1.1rc2|=3.1.2|=3.1.2rc1|=3.1.2rc2|=3.1.3|=3.1.3rc1|=3.1.4|=3.1.4rc1|=3.1.4rc2|=3.1.5|=3.1.5rc1|=3.1.6|=3.1.6rc1|=3.1.7|=3.1.7rc1|=3.1.7rc2|=3.1.8|=3.1.8rc1|=3.1.8rc2|=3.2.0b1|=3.2.0b2|=3.2.0rc1|=3.2.0rc2","fixed_version":"3.2.0","source":"osv","published_at":"2026-04-18T09:30:20Z"},{"vuln_id":"BIT-airflow-2026-32690","severity":"low","summary":"Apache Airflow Exposes Secrets in Variables Saved as JSON Dictionaries","affected_versions":">=3.0.0,<3.2.0|=3.0.0|=3.0.1|=3.0.1rc1|=3.0.2|=3.0.2rc1|=3.0.2rc2|=3.0.3|=3.0.3rc1|=3.0.3rc2|=3.0.3rc3|=3.0.3rc4|=3.0.3rc5|=3.0.3rc6|=3.0.4|=3.0.4rc1|=3.0.4rc2|=3.0.5|=3.0.5rc1|=3.0.5rc2|=3.0.5rc3|=3.0.6|=3.0.6rc1|=3.0.6rc2|=3.1.0|=3.1.0b1|=3.1.0b2|=3.1.0rc1|=3.1.0rc2|=3.1.1|=3.1.1rc1|=3.1.1rc2|=3.1.2|=3.1.2rc1|=3.1.2rc2|=3.1.3|=3.1.3rc1|=3.1.4|=3.1.4rc1|=3.1.4rc2|=3.1.5|=3.1.5rc1|=3.1.6|=3.1.6rc1|=3.1.7|=3.1.7rc1|=3.1.7rc2|=3.1.8|=3.1.8rc1|=3.1.8rc2|=3.2.0b1|=3.2.0b2|=3.2.0rc1|=3.2.0rc2","fixed_version":"3.2.0","source":"osv","published_at":"2026-04-18T09:30:20Z"}],"actively_exploited_count":0,"likely_exploited_count":0},"versions":{"latest":"3.1.8","total_count":16,"recent":["3.0.0","3.0.1","3.0.2","3.0.3","3.0.4","3.0.5","3.0.6","3.1.0","3.1.1","3.1.2","3.1.3","3.1.4","3.1.5","3.1.6","3.1.7","3.1.8"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":1,"first_published":"2025-05-14 16:03:35.892000+00:00","last_published":"2026-03-12 08:28:00.341000+00:00","dependencies_count":0,"dependencies":[]},"github_stats":null,"bundle":null,"typescript":null,"known_issues":{"bugs_count":0,"bugs_severity":{},"status_breakdown":{},"link":null,"scope":"none"},"historical_compromise":null,"recommendation":{"action":"do_not_use","issues":["1 high severity vulnerabilities","1 critical vulnerabilities"],"use_version":"3.1.8","version_hint":"Update to >= 3.2.0 to fix known vulnerabilities","summary":"apache-airflow-core has critical vulnerabilities — do not use"},"version_scoped":null,"requested_version":null,"_cache":"miss","_response_ms":560,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":false},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false},"version_history_summary":{"total_versions":16,"first_release_age_days":350,"last_release_days_ago":48,"avg_days_between_releases":23,"release_velocity":"active"},"popularity_warning":{"this_ecosystem_downloads":623,"more_popular_in":{"ecosystem":"pypi","downloads_weekly":1635034},"hint":"This is the conda package 'apache-airflow-core' (623 dl/week). A much more popular package with the same name exists in pypi (1,635,034 dl/week). Confirm you queried the right ecosystem."}}