In Apache Airflow 1.8.2 and previous versions, a CSRF vulnerability allowed for a remote command injection on a default install of Airflow.
apache airflow