CVE-2026-32794: Airflow Databricks TLS Verify Bypass

Summary

CVE-2026-32794 is a medium-severity vulnerability (CVSS 4.8) affecting Apache Airflow (Databricks provider). The issue is classified as TLS verification bypass, part of the Apache Foundation disclosure track on this site.

References

Authoritative sources and PoC material:

NVD↗MITRE↗PoC repo↗Vendor↗

Disclosure

Reporter: Kai Aizen (snailsploit)
Coordination: Vendor + MITRE/NVD
Status: Disclosed · CVE assigned · entry public on NVD
Track: Apache Foundation

About this writeup

Detailed exploitation analysis, root-cause walkthrough, and remediation guidance for this finding live in the PoC repository. For broader methodology see services and research.

Frequently asked

CVE-2026-32794 — questions & answers

What is CVE-2026-32794?

CVE-2026-32794 is an improper-certificate-validation issue in the Apache Airflow Databricks provider. A configuration path causes TLS verification to be silently disabled when contacting the Databricks workspace API, exposing the traffic to interception.

Am I affected by CVE-2026-32794?

You are affected if your Airflow installation uses the Databricks provider and the configuration matches the vulnerable code path described in the advisory. Self-hosted Airflow with a network-untrusted hop to Databricks is the primary risk.

How do I fix CVE-2026-32794?

Upgrade apache-airflow-providers-databricks to the patched version. Verify your connection config no longer relies on the deprecated/insecure option. Audit existing connections for sensitive credentials that may have been exposed during the vulnerable window.

What is the impact of CVE-2026-32794?

Loss of confidentiality of Databricks API traffic between Airflow and the Databricks workspace, including bearer tokens. CVSS 4.8 Medium.

Where can I find authoritative references?

NVD record, MITRE CVE record, and the provider package changelog on the Apache Airflow documentation site.