Apache Airflow Provider for Databricks: TLS Certificate Verification is Disabled in Databricks Provider K8s Token Exchange

The Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks presents a significant risk of man-in-the-middle (MITM) attacks. An attacker positioned between the Airflow instance and the Databricks backend can intercept and potentially modify network traffic. This could lead to the compromise of sensitive data, including credentials used to authenticate with Databricks. Successful exploitation could allow an attacker to gain unauthorized access to Databricks resources, execute arbitrary code within the Airflow environment, or steal confidential information stored within Databricks. The potential blast radius extends to any data processed or stored within the Databricks environment accessible through the compromised Airflow connection.

Organizations utilizing Apache Airflow to orchestrate workflows within Databricks are at risk. Specifically, deployments using older versions of the Airflow Provider for Databricks (≤1.10.9rc1) are vulnerable. Shared hosting environments where Airflow instances are deployed alongside other applications should be particularly cautious, as they may be more susceptible to network-based attacks.

• python / airflow: Check Airflow Provider for Databricks version using python -c 'import airflow; print(airflow.version)'. Look for versions <= 1.10.9rc1. • python / airflow: Monitor Airflow logs for unusual connection errors or certificate validation failures. • generic web: Inspect network traffic between Airflow and Databricks for signs of MITM attacks (e.g., unexpected certificate changes). • generic web: Use tools like Wireshark to analyze network traffic and verify certificate validity.

1. 2026-03-31Disclosure

   disclosure

1. Reserviert2026-03-16
2. Veröffentlicht2026-03-31
3. Geändert2026-04-02
4. EPSS aktualisiert2026-04-07

The primary mitigation for CVE-2026-32794 is to upgrade the Apache Airflow Provider for Databricks to version 1.12.0 or later. If an immediate upgrade is not feasible, consider implementing network-level controls to restrict access to the Databricks backend. This could involve using a VPN or firewall to ensure that only trusted connections are allowed. Additionally, review and strengthen certificate pinning configurations within the Airflow environment, if applicable. After upgrading, verify the fix by attempting to establish a connection to Databricks and confirming that certificate validation is enforced.