CRITICAL 9.1
PYSEC-2026-278
Improper Certificate Validation in apache airflow mongo hook
Details
When ssl was enabled for Mongo Hook, default settings included "allow_insecure" which caused that certificates were not validated. This was unexpected and undocumented. Users are recommended to upgrade to version 4.0.0, which fixes this issue.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / apache-airflow-providers-mongo
Introduced in:
0 Fixed in: 4.0.0 Fix
pip install --upgrade 'apache-airflow-providers-mongo>=4.0.0' References
- https://nvd.nist.gov/vuln/detail/CVE-2024-25141 [ADVISORY]
- https://github.com/apache/airflow/pull/37214 [WEB]
- https://github.com/apache/airflow [PACKAGE]
- https://lists.apache.org/thread/sqgbfqngjmn45ommmrgj7hvs7fgspsgm [WEB]
- http://www.openwall.com/lists/oss-security/2024/02/20/5 [WEB]
- https://pypi.org/project/apache-airflow-providers-mongo [PACKAGE]
- https://github.com/advisories/GHSA-x5pm-h33q-cjrw [ADVISORY]