Hi Airflow community, Please find below the information about a vulnerability which has been addressed in Apache Airflow v2.0.1:
*CVE-2021-26697: Apache Airflow: Lineage API endpoint for Experimental API missed authentication check* *Description*: The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity CVE as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue affects Apache Airflow 2.0.0. Upgrade to Airflow 2.0.1 to mitigate this issue. This does not affect users who have changed the default value for `[webserver] secret_key` config. *Credits*: Apache Airflow would like to thank Ian Carroll for reporting this issue. Thanks. Kaxil @ Airflow PMC
