Description
Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider code did not validate certificates for connections to Databricks back-end which could result in a man-of-a-middle attack that traffic is intercepted and manipulated or credentials exfiltrated w/o notice.

This issue affects Apache Airflow Provider for Databricks: from 1.10.0 before 1.12.0.

Users are recommended to upgrade to version 1.12.0, which fixes the issue.
Published: 2026-03-30
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Man‑in‑the‑middle attack with credential exposure
Action: Patch Immediately
AI Analysis

Impact

An oversight in the Apache Airflow Provider for Databricks caused the provider to skip TLS certificate validation when connecting to Databricks services. This omission creates a CWE‑295 weakness that allows an attacker to tamper with data or leak credentials without the user’s awareness.

Affected Systems

Vulnerable versions of the provider run from 1.10.0 up to, but not including, 1.12.0. Any deployment using those releases is affected; upgrading to 1.12.0 or later resolves the flaw.

Risk and Exploitability

The CVSS score is 4.8, indicating moderate severity, while the EPSS score is under 1%, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector, inferred from the fact that certificate validation is omitted, is an attacker positioned between Airflow and Databricks—such as a malicious actor on an untrusted network—who could present a forged certificate and intercept traffic. This inference is drawn from the description and is not explicitly stated in the advisory.

Generated by OpenCVE AI on March 31, 2026 at 16:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Airflow Provider for Databricks to version 1.12.0 or later

Generated by OpenCVE AI on March 31, 2026 at 16:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow Provider For Databricks
Vendors & Products Apache
Apache airflow Provider For Databricks

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider code did not validate certificates for connections to Databricks back-end which could result in a man-of-a-middle attack that traffic is intercepted and manipulated or credentials exfiltrated w/o notice. This issue affects Apache Airflow Provider for Databricks: from 1.10.0 before 1.12.0. Users are recommended to upgrade to version 1.12.0, which fixes the issue.
Title Apache Airflow Provider for Databricks: TLS Certificate Verification Disabled in Databricks Provider K8s Token Exchange
Weaknesses CWE-295
References

Subscriptions

Apache Airflow Provider For Databricks
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-03-31T13:31:19.039Z

Reserved: 2026-03-16T10:17:35.548Z

Link: CVE-2026-32794

cve-icon Vulnrichment

Updated: 2026-03-31T13:30:57.383Z

cve-icon NVD

Status : Received

Published: 2026-03-30T22:16:18.760

Modified: 2026-03-31T14:16:11.510

Link: CVE-2026-32794

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:39:53Z

Weaknesses