Is apache-airflow-core safe to use?

apache-airflow-core has 4 known vulnerabilities on the latest version (3.1.8). DepScope rates its health at 42/100 (high risk).

What is the latest version of apache-airflow-core?

The latest version of apache-airflow-core is 3.1.8, released 2026-03-12.

Yes. apache-airflow-core has 4 known vulnerabilities. See depscope.dev/pkg/conda/apache-airflow-core for details.

No, apache-airflow-core is actively maintained. Latest release: 3.1.8 (2026-03-12).

DepScope has no curated alternatives for apache-airflow-core at this time.

apache-airflow-core is licensed under MIT AND BSD-3-Clause AND BSD-2-Clause AND Apache-2.0.

condav3.1.8

Core packages for Apache Airflow, schedule and API server

License MIT AND BSD-3-Clause AND BSD-2-Clause AND Apache-2.0permissive16 versions1 maintainers0 deps623 weekly dl

/ 100

Health

do not use

apache-airflow-core has critical vulnerabilities — do not use

Update to >= 3.2.0 to fix known vulnerabilities

Health breakdown0 – 100

20/25

maintenance

3/20

popularity

8/25

security

9/15

maturity

2/15

community

Vulnerabilities

1 critical1 high1 medium1 low

Advisories (4)

Severity	ID	Summary	Fixed in
critical	BIT-airflow-2026-25917	Apache Airflow allows code execution through crafted XCom payloads	3.2.0
high	BIT-airflow-2026-32228	Apache Airflow allows users with asset materialize permissions to trigger DAGs outside of their permissions	3.2.0
medium	BIT-airflow-2026-30912	Apache Airflow exposes SQL stack trace despite "api/expose_stack_traces" set to false	3.2.0
low	BIT-airflow-2026-32690	Apache Airflow Exposes Secrets in Variables Saved as JSON Dictionaries	3.2.0

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/conda/apache-airflow-core

First published · 2025-05-14 16:03:35.892000+00:00

Last updated · 2026-03-12 08:28:00.341000+00:00