In various scenarios analyzed by the researchers, the most common cause of credential leaks was unsafe coding techniques. For example, the Intezer team found various production installations with embedded passwords inside Python DAG code.
In another misconfiguration case, researchers found Airflow servers with a publicly available configuration file. The configuration file (airflow.cfg) is created the first time you start Airflow. It contains an Airflow configuration as well as passwords and keys. If the expose_config parameter in the file is mistakenly set to True, the configuration is made available to all users through the web server, which can now view secrets.
Other examples include sensitive data stored in Airflow Variables that can be edited by an unauthorized user to inject malicious code, and misuse of the Connections feature, credentials are stored in an unencrypted Extra field as JSON blobs.
The vast majority of issues were found on servers running Airflow v1.x from 2015, which are still used by organizations across all sectors.
Airflow 2 introduced many new security features, including a REST API that requires authentication for all operations. The newer version also does not store sensitive information in the logs and forces the administrator to explicitly confirm the configuration settings rather than using the default settings.