Apache Airflow Configuration Exposure

Rejah Rehim
Published on
20 Dec 2021


Apache Airflow is used by organizations in sectors such as cybersecurity, ecommerce, energy, finance, health, information technology, manufacturing, media, and transportation. Misconfigured Apache Airflow instances that exposed sensitive information to anyone on the Internet. In most cases, insecure configuration is what led to the leak. The configuration file (airflow.cfg) is created when Airflow is first started. It contains Airflow’s configuration and it is able to be changed . The file contains secrets such as passwords and keys. But, if the expose_config option in the file is mistakenly set to ‘True’ the configuration becomes accessible to anyone via the web server,

Mitigation measures

Set the expose_config option to ‘False’

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Rejah Rehim
Rejah Rehim
Co-founder, Director
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment