{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:237fb60b-3936-535b-bee7-1453dfa4831d", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:pypi/apache-airflow-providers-http@4.13.3", "type": "library", "name": "apache-airflow-providers-http", "version": "4.13.3", "purl": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:d53b33b0-fad4-54a7-a8b7-f5f6e6234051", "id": "CVE-2023-22884", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-22884 affects version 4.13.3 of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:300bf6e0-a1cf-55c9-8155-d7e17308fbad", "id": "CVE-2023-39441", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-39441 affects version 4.13.3 of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:e48d4ae6-d3d9-5886-8d85-0ce188ba6bcb", "id": "CVE-2025-53643", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-53643 affects version 4.13.3 of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:4ab622c4-7874-56e2-a11f-4d5f57504ca6", "id": "CVE-2025-69223", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69223 affects version 4.13.3 of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:dcfa4b86-0670-519e-a940-4f395892c439", "id": "CVE-2025-69224", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69224 affects version 4.13.3 of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:ec462874-d78d-5e8a-9d63-d70781fed8e8", "id": "CVE-2025-69225", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69225 affects version 4.13.3 of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:5ed7d35e-c368-5933-b8f4-d0b87c88ef2a", "id": "CVE-2025-69226", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69226 affects version 4.13.3 of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:ab05c043-c993-5eeb-ace7-b3ee74757b0c", "id": "CVE-2025-69227", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69227 affects version 4.13.3 of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:c6d8409f-9e77-5eba-87f9-f8aab87fd089", "id": "CVE-2025-69228", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69228 affects version 4.13.3 of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:9dc98b23-0106-524c-9810-ddc59b77fb2b", "id": "CVE-2025-69229", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69229 affects version 4.13.3 of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:8421ed2e-e971-5ea4-b396-ffa2a17d68b1", "id": "CVE-2025-69230", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69230 affects version 4.13.3 of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:9e353aab-4ebe-5a65-bca9-8b5c9a0ac578", "id": "CVE-2026-22815", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22815 affects version 4.13.3 of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:fc6c2b9e-a40b-5d6e-a160-97c77cdeef99", "id": "CVE-2026-34513", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34513 affects version 4.13.3 of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:a6805634-ff28-5ca2-a2c3-08bb525c555f", "id": "CVE-2026-34514", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34514 affects version 4.13.3 of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:4e33cee3-26a0-5a19-92aa-edc3d442b15e", "id": "CVE-2026-34515", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34515 affects version 4.13.3 of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:4e27cdf1-aad8-5a3a-90fe-6411d347a2ae", "id": "CVE-2026-34516", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34516 affects version 4.13.3 of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:1aa6a04d-ac99-5ed3-8a1d-59851d45c92b", "id": "CVE-2026-34517", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34517 affects version 4.13.3 of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:0e8d10e8-6e0c-5c36-a407-494019256544", "id": "CVE-2026-34518", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34518 affects version 4.13.3 of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:7ea863f3-5643-5495-8e45-51b34bac2bba", "id": "CVE-2026-34519", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34519 affects version 4.13.3 of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:d3ff339e-bdef-5de1-a977-ab0e3961c6c9", "id": "CVE-2026-34520", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34520 affects version 4.13.3 of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:35cb0064-38a8-511f-b160-337942bc1bab", "id": "CVE-2026-34525", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34525 affects version 4.13.3 of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:4f2224a3-d975-5c99-8c58-f8fb02d83c7d", "id": "CVE-2026-34993", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-34993 does not affect version 4.13.3 of apache-airflow-providers-http. not_affected \u2014 The target repository (apache-airflow-providers-http) uses aiohttp as a declared dependency but does not invoke the vulnerable CookieJar.load() function. The code only uses aiohttp.ClientSession for HTTP client operations with in-memory cookie handling and never deserializes cookies from files." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:ff32394a-ca76-5022-9c3c-fa2466226d91", "id": "CVE-2026-47265", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-47265 affects version 4.13.3 of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:a09cc444-4c25-5e17-bfc9-7843d7c07229", "id": "CVE-2026-50269", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50269 does not affect version 4.13.3 of apache-airflow-providers-http. not_affected \u2014 Apache Airflow HTTP provider is not affected by CVE-2026-50269. The vulnerability requires direct manipulation of aiohttp's Payload.headers or MultipartWriter.append(headers=...) APIs, which Airflow does not use. Airflow only uses aiohttp.ClientSession standard request methods (post/get/put) which set HTTP request headers, not multipart payload headers." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:b02ec8c7-96bb-5652-8948-4b2c107714ac", "id": "CVE-2026-54273", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54273 does not affect version 4.13.3 of apache-airflow-providers-http. not_affected \u2014 CVE-2026-54273 affects aiohttp's server-side HTTP/1.1 pipelined request handling. The target repository (Apache Airflow 4.13.3 with TuxCare patches) uses aiohttp exclusively as a CLIENT via aiohttp.ClientSession(), not as a server. The vulnerable code path requires running an aiohttp server (web.Application, RequestHandler) to accept and parse pipelined requests from clients. Since Airflow does..." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:700a0080-b73c-57cb-833d-420f8a8284c0", "id": "CVE-2026-54274", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54274 does not affect version 4.13.3 of apache-airflow-providers-http. not_affected \u2014 Apache Airflow is not affected by CVE-2026-54274. While aiohttp v3.10.5 is a dependency, Airflow only uses aiohttp's HTTP client functionality (ClientSession with GET/POST/etc.) and does not use any WebSocket features. The vulnerable code path (WebSocketReader parser) is never invoked in Airflow's codebase." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:1b7fbb50-f7b5-5988-86f5-cce13600c5b5", "id": "CVE-2026-54275", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54275 does not affect version 4.13.3 of apache-airflow-providers-http. not_affected \u2014 CVE-2026-54275 (aiohttp TLS SNI bypass via connection reuse) does not affect Apache Airflow providers. The vulnerability requires persistent connection pooling across multiple requests with different server_hostname values. Airflow's HttpAsyncHook uses ephemeral aiohttp sessions (created and destroyed per request), which prevents connections from being reused across requests. This architectural..." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:c4307480-b169-5144-a68d-bbb8a2c5bb55", "id": "CVE-2026-54276", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54276 does not affect version 4.13.3 of apache-airflow-providers-http. not_affected \u2014 The apache-airflow-providers-http package does not use aiohttp's DigestAuthMiddleware and provides no mechanism to configure it. While aiohttp is a dependency, the HTTP provider only uses BasicAuth (request-level authentication), never middleware-based authentication. The vulnerability cannot manifest because the vulnerable component (DigestAuthMiddleware) is never instantiated in the provider'..." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:416e9709-10e2-5b08-8dd2-8f7d1f0f4e59", "id": "CVE-2026-54277", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54277 does not affect version 4.13.3 of apache-airflow-providers-http. not_affected \u2014 The target repository (Apache Airflow Providers HTTP) does not contain the vulnerable aiohttp C parser code. The vulnerability CVE-2026-54277 exists in aiohttp's _http_parser.pyx file (functions cb_on_url and cb_on_status), which is not present in this repository. This repository uses aiohttp as an external Python dependency rather than vendoring or bundling its source code. The vulnerable code..." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:84fe4934-342a-56f8-bc8c-27219f6adea2", "id": "CVE-2026-54278", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54278 affects version 4.13.3 of apache-airflow-providers-http." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:90135b1a-fa08-53c5-9934-2049d521cfa0", "id": "CVE-2026-54279", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54279 does not affect version 4.13.3 of apache-airflow-providers-http. not_affected \u2014 Apache Airflow HTTP Provider is not affected by CVE-2026-54279. The vulnerability concerns aiohttp's CookieJar save/load functionality losing host-only cookie status, but Airflow does not use CookieJar persistence operations. Airflow only creates ephemeral aiohttp.ClientSession instances and never calls .save() or .load() on any CookieJar." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }, { "bom-ref": "urn:uuid:b2f92fdc-fc7d-5182-bac8-cba304810687", "id": "CVE-2026-54280", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54280 does not affect version 4.13.3 of apache-airflow-providers-http. not_affected \u2014 The vulnerability CVE-2026-54280 affects aiohttp's server-side code (web_response.py:write_eof) used when serving HTTP responses. The Apache Airflow HTTP Provider (version 4.13.3) uses aiohttp exclusively as a CLIENT (via ClientSession) to make outbound HTTP requests, not as a SERVER. Exhaustive search confirmed zero server-side aiohttp usage (no web.Response, web.Application, or write_eof usag..." }, "affects": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] } ], "dependencies": [ { "ref": "pkg:pypi/apache-airflow-providers-http@4.13.3" } ] }