Description
Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider code did not validate certificates for connections to Databricks back-end which could result in a man-of-a-middle attack that traffic is intercepted and manipulated or credentials exfiltrated w/o notice.

This issue affects Apache Airflow Provider for Databricks: from 1.10.0 before 1.12.0.

Users are recommended to upgrade to version 1.12.0, which fixes the issue.
Published: 2026-03-30
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Man-in-the-Middle
Action: Immediate Upgrade
AI Analysis

Impact

Improper certificate validation in the Databricks provider for Apache Airflow allows an attacker to perform a man‑in‑the‑middle attack. By bypassing TLS verification, the attacker can intercept, modify or eavesdrop on traffic between Airflow and Databricks, potentially exfiltrating credentials and altering job submissions. The weakness is classified as CWE‑295, an insecure design in which encryption is not validated.

Affected Systems

Apache Airflow Provider for Databricks, released by the Apache Software Foundation, is affected in versions starting from 1.10.0 up to but excluding 1.12.0. The provider facilitates connections between Airflow DAGs and Databricks workspaces; the vulnerability specifically lies in the token exchange used when the provider runs on Kubernetes, where TLS certificate verification is disabled. Users deploying these versions should check if they are within this range.

Risk and Exploitability

With a CVSS base score of 4.8, the vulnerability is considered moderate. The EPSS score of less than 1% indicates low public exploitation probability, and the issue is not listed in the CISA KEV catalog. Nevertheless, because the vulnerability stems from unverified certificates, an attacker positioned to observe the network path could carry out a silent MITM operation. The attack vector is inferred to be remote over the network between Airflow and Databricks, requiring no local vulnerabilities but relying on insecure certificate handling.

Generated by OpenCVE AI on April 2, 2026 at 22:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Airflow Databricks provider to version 1.12.0 or later, which restores certificate verification during the Kubernetes token exchange.
  • Verify that TLS certificate validation is enabled in your Airflow configuration and that you are using a trusted Databricks service endpoint.
  • Monitor network traffic for anomalous connections and ensure that your Airflow logs reflect successful certificate verification failures if any.

Generated by OpenCVE AI on April 2, 2026 at 22:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wrpj-755p-x363 Apache Airflow Provider for Databricks: TLS Certificate Verification is Disabled in Databricks Provider K8s Token Exchange
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache airflow Providers Databricks
CPEs cpe:2.3:a:apache:airflow_providers_databricks:*:*:*:*:*:*:*:*
Vendors & Products Apache airflow Providers Databricks

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow Provider For Databricks
Vendors & Products Apache
Apache airflow Provider For Databricks

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider code did not validate certificates for connections to Databricks back-end which could result in a man-of-a-middle attack that traffic is intercepted and manipulated or credentials exfiltrated w/o notice. This issue affects Apache Airflow Provider for Databricks: from 1.10.0 before 1.12.0. Users are recommended to upgrade to version 1.12.0, which fixes the issue.
Title Apache Airflow Provider for Databricks: TLS Certificate Verification Disabled in Databricks Provider K8s Token Exchange
Weaknesses CWE-295
References

Subscriptions

Apache Airflow Provider For Databricks Airflow Providers Databricks
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-03-31T13:31:19.039Z

Reserved: 2026-03-16T10:17:35.548Z

Link: CVE-2026-32794

cve-icon Vulnrichment

Updated: 2026-03-30T23:11:36.468Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T22:16:18.760

Modified: 2026-04-02T20:26:24.757

Link: CVE-2026-32794

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:00Z

Weaknesses