Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-7858

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A Deserialization of Untrusted Data vulnerability affecting Teamwork Cloud from No Magic Release 2022x through No Magic Release 2026x and Magic Collaboration Studio from CATIA Magic Release 2022x through CATIA Magic Release 2026x could lead to an unauthenticated remote code execution.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
01/06/2026

CVE-2026-49361

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting in denial of service.<br /> <br /> This issue affects Apache Fluss (incubating): 0.8.0 and 0.9.0.<br /> <br /> Users are recommended to upgrade to version 0.9.1, which fixes the issue.
Gravedad CVSS v3.1: ALTA
Última modificación:
01/06/2026

CVE-2026-46764

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit-log rows directly by numeric ID after only the generic Audit Log permission check, while the collection endpoint `GET /api/v2/eventLogs` applied per-Dag scoping. An authenticated UI/API user with audit-log read permission for one Dag could retrieve audit-log entries for any other Dag by guessing or enumerating the numeric event log ID. Affects deployments that rely on per-Dag audit-log scoping. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
Gravedad CVSS v3.1: MEDIA
Última modificación:
02/06/2026

CVE-2026-49298

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A bug in Apache Airflow&amp;#39;s KubernetesExecutor caused JWT tokens used by worker pods to authenticate against the Execution API to be passed to the worker container as command-line arguments visible in the pod spec. An authenticated UI/API user with Kubernetes read-only access to the cluster (e.g. `pods/get` in the Airflow namespace) could harvest the JWT from `kubectl describe pod` output and then call state-mutating Execution API endpoints — triggering Dag runs, clearing runs, reading or writing Variables / Connections / XComs — as if they were a running task. Affects deployments using the `KubernetesExecutor`. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. This is the airflow-core half of the same vulnerability addressed by [CVE-2026-27173](https://www.cve.org/CVERecord?id=CVE-2026-27173), which shipped the apache-airflow-providers-cncf-kubernetes side of the fix. Deployments that already upgraded `apache-airflow-providers-cncf-kubernetes` to 10.17.0 or later per the CVE-2026-27173 advisory should additionally upgrade `apache-airflow` to 3.2.2 or later to close the core-side surface — the two fixes are complementary, not duplicates.
Gravedad CVSS v3.1: ALTA
Última modificación:
03/06/2026

CVE-2026-49267

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Apache Airflow&amp;#39;s EmailOperator and the underlying `airflow.utils.email` helpers established SMTP STARTTLS connections without verifying the remote certificate when the deployment used `[email] smtp_starttls=True` without `[email] smtp_ssl`. An attacker positioned between the worker and the configured SMTP server (network MITM — typical hostile-network attack-surface for environments where the SMTP relay sits outside the worker&amp;#39;s trust boundary) could present a self-signed certificate, have the worker complete the STARTTLS handshake silently, and capture the SMTP AUTH credentials and message contents the worker forwarded.<br /> <br /> This CVE covers the **core apache-airflow side** of the same root cause already covered for the SMTP provider by `CVE-2026-41016` (published 2026-04-27, covering `apache-airflow-providers-smtp`). Users who already applied the SMTP-provider fix from CVE-2026-41016 should additionally upgrade `apache-airflow` to 3.2.2 or later to cover the core-side path through `airflow.utils.email`. Affects deployments configured with `smtp_starttls=True` and `smtp_ssl=False` where the SMTP relay is reachable across a less-trusted network segment than the worker.<br /> <br /> Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
Gravedad CVSS v3.1: MEDIA
Última modificación:
03/06/2026

CVE-2026-48726

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A bug in Apache Airflow&amp;#39;s auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying `revoke_token()` call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user. Affects deployments configured with `FabAuthManager` or `KeycloakAuthManager` (the bug does not affect SimpleAuthManager). This is a residual gap in the fix for CVE-2025-57735, which addressed cookie-side invalidation in PR #57992 / PR #61339 but did not cover the provider-side `revoke_token()` reachability in the FAB / Keycloak code paths. Users who already upgraded for CVE-2025-57735 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the FAB / Keycloak logout paths.
Gravedad CVSS v3.1: MEDIA
Última modificación:
03/06/2026

CVE-2026-42588

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Improper Input Validation, Improper Control of Generation of Code (&amp;#39;Code Injection&amp;#39;) vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.<br /> <br /> Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including<br /> BrokerService.addNetworkConnector(String).<br /> <br /> An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport&amp;#39;s brokerConfig parameter using the "masterslave:// " URL which can allow loading a Spring XML application context using ResourceXmlApplicationContext.<br /> Because Spring&amp;#39;s ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker&amp;#39;s JVM through bean factory methods such as Runtime.exec().<br /> This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.<br /> <br /> Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue.
Gravedad CVSS v3.1: ALTA
Última modificación:
01/06/2026

CVE-2026-42360

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A bug in Apache Airflow&amp;#39;s rendered-template field handling caused nested sensitive-key masking (e.g. nested `password` / `token` / `secret` / `api_key` keys inside a JSON template structure) to be bypassed when the rendered field exceeded `[core] max_templated_field_length`: Airflow stringified the structure before redaction, losing the nested key context, and persisted the plaintext value into `rendered_fields`. An authenticated UI/API user with permission to read rendered template fields could harvest secret values intended to be masked. Affects deployments where Dag authors pass structured JSON to operators with nested sensitive keys. This is a variant of `CWE-200` previously addressed for the user-registered `mask_secret()` patterns in CVE-2025-68438; that fix did not cover the nested sensitive-keyword allowlist. Users who already upgraded for CVE-2025-68438 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the nested-key path.
Gravedad CVSS v3.1: MEDIA
Última modificación:
01/06/2026

CVE-2026-46605

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authenticated connections to remove existing destinations with proper permissions.<br /> <br /> This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.<br /> <br /> Users are recommended to upgrade to version v6.2.6 or v5.19.7, which fixes the issue.
Gravedad CVSS v3.1: MEDIA
Última modificación:
01/06/2026

CVE-2026-45505

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Improper Input Validation, Improper Control of Generation of Code (&amp;#39;Code Injection&amp;#39;) vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.<br /> <br /> <br /> Non-parenthesized discovery wrappers such as `masterslave:vm://...,...`<br /> and `static:vm://...` incorrectly pass validation allowing bypass of fix in CVE-2026-34197. <br /> <br /> Original description from CVE-2026-34197.<br /> <br /> Apache ActiveMQ exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery UR that triggers the VM transport&amp;#39;s brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring&amp;#39;s ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker&amp;#39;s JVM through bean factory methods such as Runtime.exec(). <br /> This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.<br /> <br /> Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue.
Gravedad CVSS v3.1: ALTA
Última modificación:
01/06/2026

CVE-2026-45426

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at least one Dag. Apache Airflow&amp;#39;s Log server authorized JWT tokens against Dag IDs by applying Python&amp;#39;s `str.lstrip()` to the requested path segment when verifying the JWT&amp;#39;s `sub` claim. `str.lstrip()` strips any of a *set* of characters from the left (not a prefix), so a JWT issued for a Dag named e.g. `dag_a` would authorize log access to any other Dag whose name began with any subset of the characters `{d, a, g, _}` (e.g. `dag_attacker`, `aaaa_target`, `_dag_secret`). Such an authenticated worker could enumerate and read worker logs of other Dags whose names happened to share that character-class prefix, leaking task output and error traces beyond the documented per-Dag isolation boundary. Affects deployments relying on per-Dag log-access scoping (multi-team, shared-executor, shared-worker topologies). Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
Gravedad CVSS v3.1: BAJA
Última modificación:
01/06/2026

CVE-2026-44825

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specified account. <br /> <br /> As an immediate workaround without upgrading, delete the template users (superadmin, admin, search, index) from security.json or change their passwords.<br /> The future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue.<br /> <br /> Not affected:<br /> * Clusters where bin/solr auth enable was not used to bootstrap BasicAuth<br /> * Clusters where template users have been assigned strong passwords after bootstrap
Gravedad CVSS v3.1: ALTA
Última modificación:
01/06/2026