Apache Airflow Provider for Databricks: TLS Certificate Verification Disabled in Databricks Provider K8s Token Exchange

Description

Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider code did not validate certificates for connections to Databricks back-end which could result in a man-of-a-middle attack that traffic is intercepted and manipulated or credentials exfiltrated w/o notice. This issue affects Apache Airflow Provider for Databricks: from 1.10.0 before 1.12.0. Users are recommended to upgrade to version 1.12.0, which fixes the issue.

Affected Products

Vendor	Product	Versions
Apache Software Foundation	Apache Airflow Provider for Databricks	1.10.0

References

https://github.com/apache/airflow/pull/63704(patch)
https://lists.apache.org/thread/hn17yqsgsdtl81llvhf80rkp53hnz5nb(vendor-advisory)

Related News (2 articles)

Tier C

VulDB4h ago

CVE-2026-32794 | Apache Airflow Provider for Databricks up to 1.11.x certificate validation

→ No new info (linked only)

Tier C

oss-security4h ago

CVE-2026-32794: Apache Airflow Provider for Databricks: TLS Certificate Verification Disabled in Databricks Provider K8s Token Exchange

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available1.12.0

CWECWE-295

PublishedMar 30, 2026

Last enriched3h agov2

Trending Score31

Source articles2

Independent2

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Apache Airflow Provider for Databricks: TLS Certificate Verification Disabled in Databricks Provider K8s Token Exchange

Description

Affected Products

References

Related News (2 articles)

Community Vote

Pin to Dashboard

Verification

Vulnerability Timeline

Version History