Improper Certificate Validation in Apache Airflow Provider for Databricks
CVE-2026-32794

4.8MEDIUM

Key Information:

Vendor: Apache
Status: Apache Airflow Provider For Databricks
Vendor: CVE Published:; 30 March 2026

What is CVE-2026-32794?

An improper certificate validation vulnerability exists in Apache Airflow's Provider for Databricks. The provider's code lacks adequate validation of certificates for connections to the Databricks backend. This oversight allows for potential man-in-the-middle attacks, where malicious actors could intercept and manipulate application traffic or exfiltrate user credentials undetected. It is crucial for users to upgrade to version 1.12.0 to mitigate this vulnerability effectively.

Affected Version(s)

Apache Airflow Provider for Databricks 1.10.0 < 1.12.0

References

https://github.com/apache/airflow/pull/63704

patch

https://lists.apache.org/thread/hn17yqsgsdtl81llvhf80rkp5...

vendor-advisory

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 30, 2026
Vulnerability Reserved
Mar 16, 2026

Credit

Kai Aizen

Marcin Wojtyczka

CVE-2026-32794 Data

JSON