AI CVE review drafts

[github-actions]

AI CVE review drafts

18 draft assessment(s) across 4 package(s) (model: claude-sonnet-4-6).

• ✅ agrees with auto match: 10
• ⚠️ disagrees: 8
• ❓ unknown: 0

Status mix: 🔴 affected × 10, 🟢 not_affected × 8

🤖 These are drafts, not authoritative. Promote into mappings/cve_contributions/ via the SPA or pixi run promote-ai-draft after review.

Summary

package	advisory	status	agrees	runtime	severity-in-conda	run
airflow-with-github_enterprise	GHSA-7wqf-h36w-47mc	🟢 not_affected	⚠️	no	lower	f8ada6
airflow-with-github_enterprise	GHSA-c732-xvv8-g94c	🟢 not_affected	⚠️	no	lower	f8ada6
airflow-with-github_enterprise	GHSA-rmf2-pwfq-h75j	🟢 not_affected	⚠️	no	lower	f8ada6
airflow-with-github_enterprise	PYSEC-2023-314	🟢 not_affected	⚠️	no	lower	f8ada6
airflow-with-github_enterprise	PYSEC-2025-87	🟢 not_affected	⚠️	no	lower	f8ada6
airflow-with-google_auth	GHSA-7wqf-h36w-47mc	🔴 affected	✅	partial	lower	f8ada6
airflow-with-google_auth	GHSA-c732-xvv8-g94c	🔴 affected	✅	partial	same	f8ada6
airflow-with-google_auth	GHSA-rmf2-pwfq-h75j	🔴 affected	✅	partial	lower	f8ada6
airflow-with-google_auth	PYSEC-2023-314	🟢 not_affected	⚠️	no	lower	f8ada6
airflow-with-leveldb	GHSA-7wqf-h36w-47mc	🔴 affected	✅	partial	lower	688517
airflow-with-leveldb	GHSA-7wqf-h36w-47mc	🔴 affected	✅	partial	lower	f8ada6
airflow-with-leveldb	GHSA-c732-xvv8-g94c	🔴 affected	✅	yes	same	688517
airflow-with-leveldb	GHSA-c732-xvv8-g94c	🔴 affected	✅	partial	lower	f8ada6
airflow-with-leveldb	GHSA-rmf2-pwfq-h75j	🔴 affected	✅	partial	lower	688517
airflow-with-leveldb	GHSA-rmf2-pwfq-h75j	🔴 affected	✅	partial	lower	f8ada6
airflow-with-leveldb	PYSEC-2023-314	🟢 not_affected	⚠️	no	lower	688517
airflow-with-leveldb	PYSEC-2023-314	🟢 not_affected	⚠️	no	lower	f8ada6
chromadb	GHSA-f4j7-r4q5-qw2c	🔴 affected	✅	yes	same	f8ada6

Per-draft reasoning

airflow-with-github_enterprise — 5 draft(s)

GHSA-7wqf-h36w-47mc — 🟢 not_affected

Why the AI accepts this

This advisory covers an OS Command Injection in the Apache Airflow Pinot Provider, affecting all apache-airflow versions prior to 2.3.0. The OSV range event is 'introduced: 0, fixed: 2.3.0', meaning all versions before 2.3.0 are vulnerable when the Pinot Provider is installed. The conda-forge package airflow-with-github_enterprise ships version 2.10.5 as its latest version, which is well above the fixed threshold of 2.3.0. The auto-derived affected_versions list (1.9.0 through 2.2.5) contains only versions that are older than the fix and are consistent with the OSV range. However, none of the listed affected conda versions (1.9.0, 1.10.0, etc. through 2.2.5) correspond to the airflow-with-github_enterprise conda-forge package, which appears to only be available at version 2.10.5 based on the provided data. Additionally, this vulnerability is specific to the Pinot Provider, not the base Airflow or GitHub Enterprise extras, further limiting applicability. Since 2.10.5 is fixed and no conda-forge versions of this specific package appear to fall in the vulnerable range, the package is not affected.

affected_versions

• agrees with auto match: ⚠️
• suggested removes: 1.9.0, 1.10.0, 1.10.1, 1.10.2, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5
• reasoning: The OSV range fixes at 2.3.0, and the only known conda-forge version of airflow-with-github_enterprise is 2.10.5, which is above the fix. The listed affected versions (1.9.0 through 2.2.5) do not appear to correspond to any shipped conda-forge versions of this specific package variant.

runtime_applicability: no — The vulnerability is in the Apache Airflow Pinot Provider, not in the base Airflow package or the GitHub Enterprise extras. The airflow-with-github_enterprise package provides GitHub Enterprise OAuth integration and does not include the Pinot Provider.

severity_in_conda_context: lower — The vulnerability requires the Pinot Provider to be installed separately. In the conda-forge airflow-with-github_enterprise context, the Pinot Provider is not a dependency and the shipped version 2.10.5 is well past the fixed version 2.3.0.

notes: The affected_versions list should be cleared for this conda package since airflow-with-github_enterprise does not ship the Pinot Provider and the current version 2.10.5 is not vulnerable. Human verification recommended to confirm no historical conda-forge builds of this package existed at versions below 2.3.0.

• proposed justification: vulnerable_code_not_present
• proposed impact_statement: The conda-forge package airflow-with-github_enterprise ships version 2.10.5, which is above the fixed threshold of 2.3.0. The Pinot Provider vulnerability does not apply to the GitHub Enterprise extras variant, and none of the affected conda-forge versions listed correspond to this specific conda package.
• run file: mappings/cve_ai_drafts/2026-06-03T21-28-04-187495Z--f8ada6.json

GHSA-c732-xvv8-g94c — 🟢 not_affected

Why the AI accepts this

This advisory covers Command Injection in Apache Airflow (fixed in 2.5.1) and the Apache Airflow MySQL Provider (fixed in 4.0.0). The OSV range for apache-airflow is 'introduced: 0, fixed: 2.5.1'. The conda-forge package airflow-with-github_enterprise ships version 2.10.5, which is significantly above the fixed threshold of 2.5.1. The listed affected conda versions (1.9.0 through 2.5.0) are all below 2.5.1 and consistent with the OSV range, but none of these versions appear to correspond to known conda-forge releases of the airflow-with-github_enterprise package specifically, whose only documented version is 2.10.5. Furthermore, this vulnerability is tied to the MySQL Provider, not the GitHub Enterprise provider, making it additionally inapplicable to this specific conda package variant.

affected_versions

• agrees with auto match: ⚠️
• suggested removes: 1.9.0, 1.10.0, 1.10.1, 1.10.2, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0
• reasoning: The OSV range fixes at 2.5.1, and the only known conda-forge version of airflow-with-github_enterprise is 2.10.5, which is above the fix. None of the listed affected versions appear to correspond to shipped conda-forge versions of this specific package variant.

runtime_applicability: no — The vulnerability primarily affects the MySQL Provider, which is not part of the airflow-with-github_enterprise extras. The current conda-forge version 2.10.5 is also above the fixed version 2.5.1 for the base airflow vulnerability.

severity_in_conda_context: lower — The MySQL Provider is not installed as part of the GitHub Enterprise extras for Airflow. The conda-forge version 2.10.5 is also patched with respect to the base Airflow component of this CVE.

notes: Both the apache-airflow and apache-airflow-providers-mysql components are addressed here. The conda-forge airflow-with-github_enterprise package neither ships the MySQL Provider nor is it at a vulnerable Airflow version. All listed affected_versions should be removed.

• proposed justification: vulnerable_code_not_present
• proposed impact_statement: The conda-forge airflow-with-github_enterprise package ships version 2.10.5, well above the fixed threshold of 2.5.1. This package variant provides GitHub Enterprise OAuth integration and does not include the MySQL Provider that is the primary vector for this vulnerability.
• run file: mappings/cve_ai_drafts/2026-06-03T21-28-04-187495Z--f8ada6.json

GHSA-rmf2-pwfq-h75j — 🟢 not_affected

Why the AI accepts this

This advisory covers OS Command Injection in the Apache Airflow Pig Provider, affecting all apache-airflow versions prior to 2.3.0. The OSV range is 'introduced: 0, fixed: 2.3.0'. The conda-forge package airflow-with-github_enterprise ships version 2.10.5, which is far above the fixed threshold of 2.3.0. The listed affected conda versions (1.9.0 through 2.2.5) are all below 2.3.0 and consistent with the OSV range, but none of these versions appear to correspond to known conda-forge releases of the airflow-with-github_enterprise package specifically. Additionally, the vulnerability is specific to the Pig Provider, not the base Airflow package or the GitHub Enterprise extras, making it further inapplicable to this conda package variant.

affected_versions

• agrees with auto match: ⚠️
• suggested removes: 1.9.0, 1.10.0, 1.10.1, 1.10.2, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5
• reasoning: The OSV range fixes at 2.3.0, and the only known conda-forge version of airflow-with-github_enterprise is 2.10.5, which is above the fix. The listed affected versions (1.9.0 through 2.2.5) do not appear to correspond to any shipped conda-forge versions of this specific package variant.

runtime_applicability: no — The vulnerability is in the Apache Airflow Pig Provider, not in the base Airflow package or GitHub Enterprise extras. The airflow-with-github_enterprise package does not include the Pig Provider as a dependency, and the shipped version 2.10.5 is above the fix point of 2.3.0.

severity_in_conda_context: lower — The vulnerability requires the Pig Provider to be installed, which is not part of the GitHub Enterprise extras. The conda-forge version 2.10.5 is also patched with respect to the base Airflow version constraint.

notes: Similar to GHSA-7wqf-h36w-47mc, this is a provider-specific vulnerability (Pig Provider) that does not apply to the airflow-with-github_enterprise package variant. All listed affected_versions should be removed. Human verification is recommended to confirm no historical conda-forge builds of this package existed at versions below 2.3.0.

• proposed justification: vulnerable_code_not_present
• proposed impact_statement: The conda-forge airflow-with-github_enterprise package ships version 2.10.5, well above the fixed threshold of 2.3.0. This package variant provides GitHub Enterprise OAuth integration and does not include the Pig Provider that is the vector for this vulnerability.
• run file: mappings/cve_ai_drafts/2026-06-03T21-28-04-187495Z--f8ada6.json

PYSEC-2023-314 — 🟢 not_affected

Why the AI accepts this

PYSEC-2023-314 is an Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider (apache-airflow-providers-sqoop), specifically affecting versions before 3.1.1 of that provider. The OSV record is attached to the apache-airflow core package but the actual vulnerability resides in the Sqoop provider, which is a separately installable component. The package under review is 'airflow-with-github_enterprise', a conda metapackage that pulls in Airflow core with GitHub Enterprise extras — it does not include the Sqoop provider. Since the Sqoop provider is not part of the github_enterprise extra and would not be installed by this package, the vulnerable code path is not present. The conda-listed affected versions (up to 2.10.5) span the OSV range introduced=0/fixed=3.1.1, but that OSV range refers to the Sqoop provider version, not core Airflow; the mismatch in the OSV record inflates the apparent scope. This match should be marked not_affected because the Sqoop provider component is absent from this conda artifact.

affected_versions

• agrees with auto match: ⚠️
• suggested removes: 1.9.0, 1.10.0, 1.10.1, 1.10.2, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.10.0, 2.10.1, 2.10.2, 2.10.4, 2.10.5
• reasoning: The OSV range (introduced=0, fixed=3.1.1) refers to the Sqoop provider package version, not the Airflow core version. The 'airflow-with-github_enterprise' artifact does not include the Sqoop provider, so all listed conda versions should be removed from the affected set.

runtime_applicability: no — The Sqoop provider is a separately installable Airflow plugin and is not a dependency of the github_enterprise extra. The vulnerable code does not execute in this conda artifact.

severity_in_conda_context: lower — Since the Sqoop provider is not included in this package, the effective severity for users of airflow-with-github_enterprise is zero regardless of the CVSS 9.8 score assigned to the Sqoop provider vulnerability.

notes: The OSV record conflates the Sqoop provider vulnerability with the core apache-airflow package, causing over-broad matching. Human verification of whether any variant of this conda package ever bundled the Sqoop provider would be prudent, but the github_enterprise extra is clearly unrelated to Sqoop.

• proposed justification: component_not_present
• proposed impact_statement: The vulnerability affects the Apache Airflow Sqoop Provider (apache-airflow-providers-sqoop), not the Airflow core package. The 'airflow-with-github_enterprise' conda package installs Airflow core with GitHub Enterprise extras only and does not include or depend on the Sqoop provider; therefore the vulnerable component is not present.
• run file: mappings/cve_ai_drafts/2026-06-03T21-28-04-187495Z--f8ada6.json

PYSEC-2025-87 — 🟢 not_affected

Why the AI accepts this

PYSEC-2025-87 describes an RCE vulnerability in the Apache Airflow Edge3 provider (apache-airflow-providers-edge3) when used with Airflow 2. The OSV range covers apache-airflow versions from 0 up to (but not including) 2.0.0, yet the advisory text explicitly states this only affects Airflow 2 with the Edge3 provider installed and configured. The conda-forge affected_versions list includes only 1.9.0, 1.10.0, 1.10.1, and 1.10.2, all of which are below 2.0.0 and thus outside the stated Airflow 2 scope of the advisory. Furthermore, the package is 'airflow-with-github_enterprise', which targets Airflow 2.10.5 and does not include the Edge3 provider. The Edge3 provider is a niche, development-oriented component unrelated to GitHub Enterprise functionality, so the vulnerable component is absent from this artifact.

affected_versions

• agrees with auto match: ⚠️
• suggested removes: 1.9.0, 1.10.0, 1.10.1, 1.10.2
• reasoning: The OSV ecosystem range is introduced=0, fixed=2.0.0, covering only Airflow 1.x releases. The advisory text clarifies the vulnerability requires Airflow 2 with Edge3 provider installed — a contradiction with the range. None of the four listed conda versions (all 1.x) correspond to a state where the Edge3 provider for Airflow 2 would be present. All should be removed from the affected set.

runtime_applicability: no — The Edge3 provider is not a dependency of the github_enterprise extra and is not bundled in this conda package. Additionally, the advisory itself states that users on Airflow 3 are not affected and the vulnerability only manifests when the Edge3 provider is explicitly installed and configured on Airflow 2, a scenario that cannot arise from installing this package.

severity_in_conda_context: lower — The CVSS 9.8 score is appropriate for deployments that have the Edge3 provider configured, but since this package does not include that component, the effective severity for consumers of airflow-with-github_enterprise is zero.

notes: The OSV record appears to be misattributed to apache-airflow core rather than to the Edge3 provider package. The OSV range (fixed at 2.0.0) also contradicts the advisory body which says the issue affects Airflow 2. Human review of the upstream OSV record is recommended to correct the range and package attribution.

• proposed justification: component_not_present
• proposed impact_statement: The vulnerability is in the Apache Airflow Edge3 provider (apache-airflow-providers-edge3) and only affects Airflow 2 deployments where the Edge3 provider was separately installed and configured. The 'airflow-with-github_enterprise' conda package does not include the Edge3 provider, and the listed affected conda versions (1.x) do not match the Airflow 2 requirement stated in the advisory. The vulnerable component is not present in this artifact.
• run file: mappings/cve_ai_drafts/2026-06-03T21-28-04-187495Z--f8ada6.json

airflow-with-google_auth — 4 draft(s)

GHSA-7wqf-h36w-47mc — 🔴 affected

Why the AI accepts this

The OSV record fixes this vulnerability at apache-airflow 2.3.0, meaning all versions prior to 2.3.0 are affected. The auto-derived conda affected_versions list (2.0.1 through 2.2.5) correctly captures the conda-forge builds that fall within the vulnerable range. The latest conda-forge version is 2.10.5, which is well above the fixed version of 2.3.0 and is therefore not affected. The vulnerability specifically involves the Pinot Provider (a separately installable plugin); the airflow-with-google_auth conda package does not bundle the Pinot Provider, so the vulnerable code path is only reachable if the user separately installs apache-airflow-providers-apache-pinot < 4.0.0. The historical conda-forge builds listed (2.0.1–2.2.5) are genuinely vulnerable if paired with a vulnerable Pinot Provider, so marking them as affected is correct. Users on those old builds should upgrade to 2.10.5 or at minimum 2.3.0, and ensure Pinot Provider >= 4.0.0 if used.

affected_versions

• agrees with auto match: ✅
• reasoning: The OSV range is introduced=0, fixed=2.3.0. The listed conda affected versions (2.0.1–2.2.5) are all below 2.3.0 and therefore correctly identified as affected. The latest conda version 2.10.5 is above the fix point and is not listed, which is correct.

runtime_applicability: partial — The vulnerability is in the Apache Pinot Provider, which is a separately installable plugin, not bundled with the core airflow-with-google_auth conda package. The vulnerable code path is only active if the user has separately installed apache-airflow-providers-apache-pinot < 4.0.0 alongside an affected Airflow version.

severity_in_conda_context: lower — The CVSS score of 9.8 (Critical) assumes the Pinot Provider is installed and in use. Since the conda package does not bundle the Pinot Provider and it must be separately installed, the effective severity is lower for most conda-forge users who have not installed that provider.

notes: The vulnerability requires the Pinot Provider to be installed separately. The conda-forge package airflow-with-google_auth does not include it. Only historical builds (2.0.1–2.2.5) on conda-forge fall within the vulnerable range.

• proposed action_statement: Upgrade airflow-with-google_auth to version 2.10.5 (or at minimum 2.3.0). If using the Apache Pinot Provider, also upgrade it to >= 4.0.0. Historical conda-forge builds 2.0.1–2.2.5 are affected.
• run file: mappings/cve_ai_drafts/2026-06-03T21-28-04-187495Z--f8ada6.json

GHSA-c732-xvv8-g94c — 🔴 affected

Why the AI accepts this

The OSV record fixes this vulnerability in apache-airflow at 2.5.1, covering all versions from 0 up to (but not including) 2.5.1. The auto-derived conda affected_versions list (2.0.1 through 2.5.0) correctly captures conda-forge builds in the vulnerable range. The latest conda-forge version 2.10.5 is well above the fix point and is not affected. The vulnerability also affects apache-airflow-providers-mysql < 4.0.0, which is a separately installable provider not bundled with the airflow-with-google_auth conda package, so the vulnerable MySQL code path requires a separate installation. However, the core Airflow command injection vector (the apache-airflow package range) applies directly to the listed historical conda builds.

affected_versions

• agrees with auto match: ✅
• reasoning: The OSV range is introduced=0, fixed=2.5.1 for apache-airflow. The listed conda affected versions (2.0.1–2.5.0) are all below 2.5.1 and correctly identified as affected. The latest conda version 2.10.5 is above the fix point and is not listed, which is correct.

runtime_applicability: partial — The core command injection in apache-airflow (not just the MySQL provider) is present in the affected historical versions and applies to the airflow-with-google_auth package directly. The MySQL Provider component requires separate installation, but the base Airflow vulnerability applies to the shipped conda artifact for versions < 2.5.1.

severity_in_conda_context: same — The base apache-airflow command injection (not just the MySQL Provider component) is present in affected versions and the CVSS 9.8 rating reflects a network-exploitable command injection, which is accurate for the core Airflow vulnerability affecting the listed conda builds.

notes: This advisory covers both the core apache-airflow package and the MySQL Provider. The core Airflow vulnerability applies directly to the affected historical conda-forge builds. The MySQL Provider is a separate package not bundled in airflow-with-google_auth.

• proposed action_statement: Upgrade airflow-with-google_auth to version 2.10.5 (or at minimum 2.5.1). If using the MySQL Provider, also upgrade apache-airflow-providers-mysql to >= 4.0.0. Historical conda-forge builds 2.0.1–2.5.0 are affected.
• run file: mappings/cve_ai_drafts/2026-06-03T21-28-04-187495Z--f8ada6.json

GHSA-rmf2-pwfq-h75j — 🔴 affected

Why the AI accepts this

The OSV record fixes this vulnerability at apache-airflow 2.3.0, meaning all versions prior to 2.3.0 are affected. The auto-derived conda affected_versions list (2.0.1 through 2.2.5) correctly captures the conda-forge builds within the vulnerable range. The latest conda-forge version is 2.10.5, which is far above the fixed version and is not affected. The vulnerability specifically involves the Pig Provider (a separately installable plugin); the airflow-with-google_auth conda package does not bundle the Pig Provider, so the vulnerable code path is only reachable if the user separately installs apache-airflow-providers-apache-pig < 4.0.0. Historical conda-forge builds listed (2.0.1–2.2.5) are genuinely vulnerable if paired with a vulnerable Pig Provider version, so the match is appropriate for those versions.

affected_versions

• agrees with auto match: ✅
• reasoning: The OSV range is introduced=0, fixed=2.3.0. The listed conda affected versions (2.0.1–2.2.5) are all below 2.3.0 and correctly identified as affected. The latest conda version 2.10.5 is above the fix point and is not listed, which is correct.

runtime_applicability: partial — The vulnerability is in the Apache Pig Provider, which is a separately installable plugin not bundled with the airflow-with-google_auth conda package. The vulnerable code path is only active if the user has separately installed apache-airflow-providers-apache-pig < 4.0.0 alongside an affected Airflow version.

severity_in_conda_context: lower — The CVSS score of 9.8 (Critical) assumes the Pig Provider is installed and in use. Since the conda package does not bundle the Pig Provider and it must be separately installed, the effective severity is lower for most conda-forge users who have not installed that provider. Pig usage in modern data pipelines is also relatively uncommon.

notes: The vulnerability requires the Pig Provider to be installed separately. The conda-forge package airflow-with-google_auth does not include it. Only historical builds (2.0.1–2.2.5) on conda-forge fall within the vulnerable range.

• proposed action_statement: Upgrade airflow-with-google_auth to version 2.10.5 (or at minimum 2.3.0). If using the Apache Pig Provider, also upgrade it to >= 4.0.0. Historical conda-forge builds 2.0.1–2.2.5 are affected.
• run file: mappings/cve_ai_drafts/2026-06-03T21-28-04-187495Z--f8ada6.json

PYSEC-2023-314 — 🟢 not_affected

Why the AI accepts this

CVE-2023-25693 is a vulnerability in the Apache Airflow Sqoop Provider (apache-airflow-providers-sqoop), not in core apache-airflow itself. The OSV record (PYSEC-2023-314) is associated with the apache-airflow PyPI package, but the actual fix referenced (PR #29500) and the advisory text explicitly state this affects 'Apache Airflow Sqoop Provider versions before 3.1.1' — a separately distributed provider package. The airflow-with-google_auth conda-forge package is a metapackage that installs core Airflow with Google Auth extras; it does not vendor or depend on the Sqoop provider. The OSV range covering all apache-airflow versions up to 3.1.1 is over-broad because it incorrectly attributes a provider-specific vulnerability to the core package. Therefore, the conda artifact under review does not contain the vulnerable Sqoop provider code and should not be considered affected by this advisory.

affected_versions

• agrees with auto match: ⚠️
• suggested removes: 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.10.0, 2.10.1, 2.10.2, 2.10.4, 2.10.5
• reasoning: All listed affected conda-forge versions should be removed. The OSV range (introduced: 0, fixed: 3.1.1) was applied to apache-airflow core but the advisory explicitly states the vulnerability is in the Sqoop Provider package (apache-airflow-providers-sqoop), which is a separate distribution not included in airflow-with-google_auth. None of these core Airflow conda-forge versions are actually vulnerable to this CVE by virtue of being the airflow-with-google_auth package.

runtime_applicability: no — The Sqoop provider is a separately installed package (apache-airflow-providers-sqoop) and is not bundled with or required by the airflow-with-google_auth metapackage. The vulnerable input validation code in the Sqoop provider is not present in the runtime environment of this conda artifact unless the user explicitly installs the Sqoop provider separately.

severity_in_conda_context: lower — Since the Sqoop provider is not included in this package, the CVSS 9.8 critical score is not relevant to this artifact. The severity is effectively zero for this specific conda package.

notes: This is a false positive match. PYSEC-2023-314/CVE-2023-25693 should be attributed to apache-airflow-providers-sqoop (a separate PyPI/conda package), not to apache-airflow core or the airflow-with-google_auth metapackage. The OSV record's broad ecosystem range covering all apache-airflow versions is misleading. Maintainers should verify whether a conda-forge package for apache-airflow-providers-sqoop exists and assess that package instead.

• proposed justification: vulnerable_code_not_present
• proposed impact_statement: The vulnerability affects the apache-airflow-providers-sqoop package (versions before 3.1.1), not core apache-airflow or the google_auth extras. The airflow-with-google_auth conda-forge package does not include or depend on the Sqoop provider, so the vulnerable code is not present in this artifact.
• run file: mappings/cve_ai_drafts/2026-06-03T21-28-04-187495Z--f8ada6.json

airflow-with-leveldb — 8 draft(s)

GHSA-7wqf-h36w-47mc — 🔴 affected

Why the AI accepts this

This advisory covers an OS command injection vulnerability in the Apache Airflow Pinot Provider, affecting all Airflow versions prior to 2.3.0 when the Pinot Provider is installed. The OSV range is 'introduced: 0, fixed: 2.3.0', meaning all conda-forge builds of airflow-with-leveldb before 2.3.0 would be technically within scope. The latest conda-forge version is 2.10.5, which is well beyond the fix boundary. The affected_versions list (2.1.1 through 2.2.5) correctly captures the conda-forge-shipped versions that fall in the vulnerable range. However, the vulnerability only materializes if the Pinot Provider (apache-airflow-providers-apache-pinot) is separately installed — the airflow-with-leveldb conda package does not bundle the Pinot Provider, so the vulnerable code path is not present in the package itself. Historical conda-forge builds in the 2.1.x–2.2.x range are conditionally vulnerable depending on whether users separately installed the Pinot Provider. The current conda-forge version (2.10.5) is unambiguously beyond the fix boundary for both Airflow core and the Pinot Provider version requirement.

affected_versions

• agrees with auto match: ✅
• reasoning: The OSV range covers introduced:0 to fixed:2.3.0. The listed affected conda versions (2.1.1 through 2.2.5) correctly represent the conda-forge builds that fall within this range. Versions 2.3.0 and above, including the latest 2.10.5, are not in the affected set, which aligns with the fix boundary.

runtime_applicability: partial — The vulnerability is in the Pinot Provider, which is a separately installable plugin and is NOT bundled with airflow-with-leveldb. Exploitation requires that users have separately installed apache-airflow-providers-apache-pinot < 4.0.0 alongside a vulnerable Airflow core version. Without the Pinot Provider installed, the vulnerable code path is absent.

severity_in_conda_context: lower — The CVSS score of 9.8 assumes the Pinot Provider is present and exploitable. In the conda-forge airflow-with-leveldb artifact, the Pinot Provider is not bundled, making exploitation contingent on a separate optional installation, which reduces the practical severity for most users of this conda package.

notes: This CVE requires both a vulnerable Airflow core version AND the separately installed Pinot Provider < 4.0.0. Conda-forge does not ship the Pinot Provider as part of airflow-with-leveldb. Historical builds (2.1.1-2.2.5) remain in the affected set for users who may have installed the provider separately.

• proposed action_statement: Upgrade to airflow-with-leveldb >= 2.3.0 (latest conda-forge version is 2.10.5, which is unaffected). Additionally, ensure the apache-airflow-providers-apache-pinot package is at version 4.0.0 or later if it is installed separately, as the vulnerability requires the Pinot Provider to be present.
• run file: mappings/cve_ai_drafts/2026-06-03T09-59-35-202105Z--688517.json

GHSA-7wqf-h36w-47mc — 🔴 affected

Why the AI accepts this

The OSV range covers apache-airflow from 0 to fixed at 2.3.0, meaning all versions below 2.3.0 are vulnerable. The conda-forge airflow-with-leveldb package's latest version is 2.10.5, which is well above the fixed point of 2.3.0. The auto-derived affected_versions list only includes versions 2.1.1 through 2.2.5, which are correctly within the vulnerable range (below 2.3.0). The vulnerability specifically concerns the Pinot Provider's command injection when that optional provider is installed; the base airflow package is listed as affected only when the Pinot Provider is also present. Since 2.10.5 is the latest conda version and is far above 2.3.0, it is not affected. However, the listed conda-forge affected versions (2.1.1–2.2.5) are historically shipped versions within the vulnerable range. The match is historically valid for those older conda-forge builds, and the latest version is not affected.

affected_versions

• agrees with auto match: ✅
• reasoning: The OSV range specifies introduced=0, fixed=2.3.0. All listed conda affected versions (2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5) are below 2.3.0 and thus correctly within the vulnerable range. No versions >= 2.3.0 are listed, which is correct. The latest conda version 2.10.5 is not in the affected list, which is appropriate.

runtime_applicability: partial — The vulnerability is in the Pinot Provider component. The base airflow package is only affected if apache-airflow-providers-pinot is installed alongside it. The airflow-with-leveldb conda package adds the leveldb extra, not Pinot, so whether the Pinot provider is present depends on whether it is separately installed by the user.

severity_in_conda_context: lower — The CVSS score of 9.8 CRITICAL is assigned for cases where the Pinot Provider is installed and used. Since airflow-with-leveldb does not bundle the Pinot Provider and it must be separately installed, the effective severity in the typical conda deployment is lower than the headline score suggests. Exploitation also requires the ability to influence task execution context.

notes: The airflow-with-leveldb conda package is a metapackage that installs apache-airflow with the leveldb extra. The Pinot Provider is a separate optional component. Human verification of which conda-forge builds exist for versions below 2.3.0 is recommended before finalizing the affected version list.

• proposed action_statement: Upgrade to airflow-with-leveldb >= 2.3.0 on conda-forge. The latest conda-forge version 2.10.5 is not affected. Users running historical conda-forge builds of versions 2.1.1 through 2.2.5 should upgrade. Note that full remediation also requires installing apache-airflow-providers-pinot >= 4.0.0 if the Pinot Provider is used.
• run file: mappings/cve_ai_drafts/2026-06-03T21-28-04-187495Z--f8ada6.json

GHSA-c732-xvv8-g94c — 🔴 affected

Why the AI accepts this

This advisory covers a command injection vulnerability in Apache Airflow core (before 2.5.1) and the MySQL Provider (before 4.0.0). Unlike the Pinot and Pig provider issues, this CVE affects Airflow core itself (not solely a provider), though it is also linked to the MySQL Provider. The OSV range is 'introduced: 0, fixed: 2.5.1' for the core package. The listed affected conda-forge versions (2.1.1 through 2.5.0) are correct — they cover the range below the fix. The latest conda-forge version is 2.10.5, which is well beyond 2.5.1 and thus fixed. Historical conda-forge builds from 2.1.1 through 2.5.0 are genuinely vulnerable. The MySQL provider component is separately installable and not bundled, but the core Airflow vulnerability applies to all installs in the affected range regardless of provider installation.

affected_versions

• agrees with auto match: ✅
• reasoning: The OSV range covers introduced:0 to fixed:2.5.1 for apache-airflow core. The listed affected conda versions (2.1.1 through 2.5.0) correctly capture the conda-forge-shipped versions in this range. Version 2.5.1 and above, including the current 2.10.5, are outside the affected range.

runtime_applicability: yes — This vulnerability affects Airflow core itself (before 2.5.1), not just an optional provider. All conda-forge builds of airflow-with-leveldb in the affected version range are vulnerable without any additional provider installation being required. The MySQL provider component adds an additional attack surface but is not the sole source of the core vulnerability.

severity_in_conda_context: same — Since this vulnerability affects Airflow core and not just an optional provider, the CVSS 9.8 score is more representative of the actual risk for conda-forge users running affected versions. The core command injection is present regardless of which providers are installed.

notes: The dual nature of this CVE (affecting both Airflow core and the MySQL provider) means all historical conda-forge builds in the affected range are genuinely vulnerable at the core level. The MySQL provider impact is additional and separate. Users should also check their MySQL provider version if installed.

• proposed action_statement: Upgrade to airflow-with-leveldb >= 2.5.1 (latest conda-forge version is 2.10.5, which is unaffected). If the apache-airflow-providers-mysql package is also installed, upgrade it to >= 4.0.0.
• run file: mappings/cve_ai_drafts/2026-06-03T09-59-35-202105Z--688517.json

GHSA-c732-xvv8-g94c — 🔴 affected

Why the AI accepts this

The OSV range for apache-airflow covers from 0 to fixed at 2.5.1, meaning all versions below 2.5.1 are vulnerable. The auto-derived affected_versions list covers 2.1.1 through 2.5.0, all of which fall within the vulnerable range (below 2.5.1). The latest conda-forge version 2.10.5 is well above 2.5.1 and is not affected. The vulnerability involves command injection in the MySQL Provider; the core airflow package is co-listed because the injection vector exists when the MySQL Provider is installed. The airflow-with-leveldb conda package installs the leveldb extra, not the MySQL provider, so exploitation depends on whether the MySQL provider is separately installed. The match is historically valid for conda-forge builds in the 2.1.1–2.5.0 range.

affected_versions

• agrees with auto match: ✅
• reasoning: The OSV range specifies introduced=0, fixed=2.5.1. All listed conda affected versions (2.1.1 through 2.5.0) are below 2.5.1 and correctly within the vulnerable range. No versions >= 2.5.1 are included in the affected list, which is correct. The latest conda version 2.10.5 is not affected.

runtime_applicability: partial — The vulnerability is primarily in the MySQL Provider component. The core airflow package is co-affected, but exploitation requires the MySQL Provider to be installed. The airflow-with-leveldb conda package installs airflow with the leveldb extra only; whether the MySQL provider is present depends on separate user installation.

severity_in_conda_context: lower — The CVSS 9.8 CRITICAL score applies when the MySQL Provider is actively used. Since airflow-with-leveldb does not bundle the MySQL Provider, and it must be separately installed, the realistic severity for a typical airflow-with-leveldb deployment is lower than the headline score. Exploitation also requires influence over task execution context.

notes: This CVE covers both apache-airflow core and apache-airflow-providers-mysql. The conda affected versions here are for the core airflow component only. The MySQL Provider is a separate conda package and would need its own assessment. Human verification is recommended.

• proposed action_statement: Upgrade to airflow-with-leveldb >= 2.5.1 on conda-forge. The latest conda-forge version 2.10.5 is not affected. Users on historical conda-forge builds from 2.1.1 through 2.5.0 should upgrade. Full remediation also requires installing apache-airflow-providers-mysql >= 4.0.0 if the MySQL Provider is in use.
• run file: mappings/cve_ai_drafts/2026-06-03T21-28-04-187495Z--f8ada6.json

GHSA-rmf2-pwfq-h75j — 🔴 affected

Why the AI accepts this

This advisory covers an OS command injection vulnerability in the Apache Airflow Pig Provider, affecting all Airflow versions prior to 2.3.0 when the Pig Provider is installed. Like the Pinot Provider issue (GHSA-7wqf-h36w-47mc), the vulnerability only manifests when the separately installable Pig Provider (apache-airflow-providers-apache-pig) is present. The OSV range is 'introduced: 0, fixed: 2.3.0'. The listed affected conda versions (2.1.1 through 2.2.5) correctly represent conda-forge builds within this range. The latest conda-forge version (2.10.5) is well beyond the fix boundary. The Pig Provider is not bundled in airflow-with-leveldb, so the vulnerable code path is absent unless users separately install it. Historical builds remain conditionally vulnerable for users who installed the Pig Provider alongside a pre-2.3.0 Airflow.

affected_versions

• agrees with auto match: ✅
• reasoning: The OSV range covers introduced:0 to fixed:2.3.0. The listed affected conda versions (2.1.1 through 2.2.5) correctly represent the conda-forge builds that fall within this range. Versions 2.3.0 and above, including the latest 2.10.5, are not affected according to the OSV fix boundary.

runtime_applicability: partial — The vulnerability is in the Pig Provider (apache-airflow-providers-apache-pig), which is a separately installable plugin not bundled with airflow-with-leveldb. Exploitation requires that users have separately installed the Pig Provider < 4.0.0 alongside a vulnerable Airflow core version. Without the Pig Provider, the vulnerable code path is absent from the conda artifact.

severity_in_conda_context: lower — The CVSS 9.8 score assumes the Pig Provider is installed and exploitable. Since the Pig Provider is not bundled with airflow-with-leveldb and must be separately installed by users, the practical severity for most conda-forge users is lower than the CVSS score suggests, as exploitation requires an additional optional component.

notes: This CVE is structurally very similar to GHSA-7wqf-h36w-47mc (Pinot Provider) — both require a separately installed provider on top of a pre-2.3.0 Airflow core. Conda-forge does not ship the Pig Provider as part of airflow-with-leveldb. Historical builds (2.1.1-2.2.5) remain in the affected set for users who may have installed the provider separately.

• proposed action_statement: Upgrade to airflow-with-leveldb >= 2.3.0 (latest conda-forge version is 2.10.5, which is unaffected). Additionally, ensure the apache-airflow-providers-apache-pig package is at version 4.0.0 or later if it is installed separately, as the vulnerability requires the Pig Provider to be present.
• run file: mappings/cve_ai_drafts/2026-06-03T09-59-35-202105Z--688517.json

GHSA-rmf2-pwfq-h75j — 🔴 affected

Why the AI accepts this

The OSV range covers apache-airflow from 0 to fixed at 2.3.0, meaning all versions below 2.3.0 are vulnerable. The auto-derived affected_versions list includes versions 2.1.1 through 2.2.5, all of which are correctly within the vulnerable range. The latest conda-forge version 2.10.5 is far above 2.3.0 and is not affected. This vulnerability is analogous to GHSA-7wqf-h36w-47mc but concerns the Pig Provider rather than the Pinot Provider; base airflow is co-affected only when the Pig Provider is installed. The airflow-with-leveldb conda package does not include the Pig Provider, so actual exploitability depends on whether it is separately installed. The historical match for versions 2.1.1–2.2.5 is valid.

affected_versions

• agrees with auto match: ✅
• reasoning: The OSV range specifies introduced=0, fixed=2.3.0. All listed conda affected versions (2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5) are below 2.3.0 and correctly within the vulnerable range. No versions >= 2.3.0 are listed, which is correct. The latest conda version 2.10.5 is not affected.

runtime_applicability: partial — The vulnerability is in the Pig Provider component. The base airflow package is only affected when apache-airflow-providers-apache-pig is installed alongside it. The airflow-with-leveldb conda package adds only the leveldb extra; Pig Provider installation is at user discretion and is not included by default.

severity_in_conda_context: lower — The CVSS 9.8 CRITICAL score applies when the Pig Provider is installed and used. Since airflow-with-leveldb does not bundle the Pig Provider and it must be separately installed, the effective severity in a typical conda deployment is lower than the headline score suggests. Exploitation also requires influence over the task execution context.

notes: This is the Pig Provider analogue to GHSA-7wqf-h36w-47mc (Pinot Provider). Both share the same OSV range (fixed at 2.3.0) and affected conda version list. Human verification of which historical conda-forge builds are still in active use is recommended before finalizing.

• proposed action_statement: Upgrade to airflow-with-leveldb >= 2.3.0 on conda-forge. The latest conda-forge version 2.10.5 is not affected. Users running historical conda-forge builds of versions 2.1.1 through 2.2.5 should upgrade. Full remediation also requires installing apache-airflow-providers-apache-pig >= 4.0.0 if the Pig Provider is in use.
• run file: mappings/cve_ai_drafts/2026-06-03T21-28-04-187495Z--f8ada6.json

PYSEC-2023-314 — 🟢 not_affected

Why the AI accepts this

CVE-2023-25693 is a vulnerability in the Apache Airflow Sqoop Provider (apache-airflow-providers-sqoop), not in the core apache-airflow package itself. The advisory explicitly states it affects 'Apache Airflow Sqoop Provider versions before 3.1.1'. The OSV record has been applied over-broadly to the core apache-airflow PyPI package, and the affected_versions list in the conda match incorrectly includes all versions of the core package up to 2.10.5. The conda package under review is airflow-with-leveldb, which is the core Airflow package with the LevelDB extra — it does not include or vendor the Sqoop provider. The Sqoop provider is a separately installable package (apache-airflow-providers-sqoop) and would only be relevant if that provider package were included, which it is not in this artifact. Therefore, this match is a false positive for the core airflow package and for airflow-with-leveldb specifically.

affected_versions

• agrees with auto match: ⚠️
• suggested removes: 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.10.0, 2.10.1, 2.10.2, 2.10.4, 2.10.5
• reasoning: The OSV range covers all apache-airflow core package versions up to 3.1.1, but the actual vulnerability is in the Sqoop Provider, a separate distribution. None of the versions of airflow-with-leveldb are affected because this package does not ship the Sqoop provider. All versions should be removed from the affected set for this conda artifact.

runtime_applicability: no — The Sqoop provider is not part of the airflow-with-leveldb conda package. The vulnerable code (airflow.providers.sqoop) is not present in the installed artifact and cannot be reached at runtime without separately installing apache-airflow-providers-sqoop.

severity_in_conda_context: lower — The CVSS score of 9.8 (Critical) applies to deployments where the Sqoop provider is installed and used. Since the Sqoop provider is absent from airflow-with-leveldb, the effective severity for this specific conda artifact is not applicable — there is no exposure.

notes: The OSV record PYSEC-2023-314 has been incorrectly attributed to the core apache-airflow package. The actual vulnerability lives in the apache-airflow-providers-sqoop package. Conda-forge maintainers should be aware that if they also ship apache-airflow-providers-sqoop, that package should be assessed separately for this CVE. The fix was introduced in apache-airflow-providers-sqoop 3.1.1 per the upstream advisory.

• proposed justification: vulnerable_code_not_present
• proposed impact_statement: The vulnerability affects the Apache Airflow Sqoop Provider (apache-airflow-providers-sqoop), which is a separately distributed package and is not included in or vendored by the airflow-with-leveldb conda package. The conda artifact only adds the LevelDB extra to core Airflow; the Sqoop provider code path is entirely absent.
• run file: mappings/cve_ai_drafts/2026-06-03T09-59-35-202105Z--688517.json

PYSEC-2023-314 — 🟢 not_affected

Why the AI accepts this

CVE-2023-25693 is a vulnerability in the Apache Airflow Sqoop Provider (apache-airflow-providers-sqoop), specifically versions before 3.1.1 of that provider package. The OSV record (PYSEC-2023-314) has been incorrectly applied to the core apache-airflow package with a broad 'introduced: 0, fixed: 3.1.1' range, which conflates the Airflow core version namespace with the Sqoop provider package version namespace. The airflow-with-leveldb conda-forge package is a metapackage that installs apache-airflow core with the LevelDB extra, not the Sqoop provider. The vulnerable component (the Sqoop Provider) is a separately installable provider package (apache-airflow-providers-sqoop) and is not bundled with the core airflow package or the leveldb variant. Therefore, this CVE does not apply to airflow-with-leveldb unless the Sqoop provider is separately installed, which is outside the scope of this package.

affected_versions

• agrees with auto match: ⚠️
• suggested removes: 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.10.0, 2.10.1, 2.10.2, 2.10.4, 2.10.5
• reasoning: All listed affected versions should be removed. The OSV range 'introduced: 0, fixed: 3.1.1' mistakenly applies the Sqoop Provider's version fix boundary to the core apache-airflow package version space. The vulnerability only affects the separate apache-airflow-providers-sqoop package (versions < 3.1.1 of that provider), not the core airflow package at any version. No conda-forge airflow-with-leveldb versions are actually vulnerable via this CVE.

runtime_applicability: no — The Sqoop Provider is an independently installable provider package (apache-airflow-providers-sqoop) that is not included in, depended upon, or bundled with airflow-with-leveldb. The vulnerable code path (Sqoop operator input validation) is not present in this artifact.

severity_in_conda_context: lower — Since the Sqoop provider is not part of airflow-with-leveldb, the CVSS 9.8 critical score is not applicable to this conda artifact at all. Even if we considered deployments where users separately install the Sqoop provider, the impact is contained to that optional component.

notes: The OSV record PYSEC-2023-314 appears to have an incorrect or overly broad affected range that covers all apache-airflow versions before 3.1.1, when the actual vulnerability is in the separately versioned apache-airflow-providers-sqoop package (fix version 3.1.1 of the provider, not the core). The correct advisory target should be pkg:pypi/apache-airflow-providers-sqoop, not pkg:pypi/apache-airflow. A human reviewer should verify that the Sqoop provider is indeed absent from the airflow-with-leveldb conda-forge build and consider filing a correction against the OSV record.

• proposed justification: component_not_present
• proposed impact_statement: The vulnerability is in the Apache Airflow Sqoop Provider (apache-airflow-providers-sqoop versions before 3.1.1), which is a separate optional provider package not included in or required by airflow-with-leveldb. The conda-forge airflow-with-leveldb package installs apache-airflow core with LevelDB support only; the Sqoop provider is not bundled or installed as a dependency.
• run file: mappings/cve_ai_drafts/2026-06-03T21-28-04-187495Z--f8ada6.json

chromadb — 1 draft(s)

GHSA-f4j7-r4q5-qw2c — 🔴 affected

Why the AI accepts this

The OSV range covers chromadb 1.0.0 through 1.5.9 (last_affected), and the latest conda-forge version is 1.5.9, which falls squarely within this range. The vulnerability is a pre-authentication remote code injection triggered when a caller sets trust_remote_code=true and supplies a malicious model repository URL via the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint — this is core functionality of the chromadb Python package itself, not a vendored or optional sub-dependency. The OSV record uses 'last_affected' rather than a 'fixed' event, indicating no upstream fix has been released yet as of the advisory date; the conda-forge package at 1.5.9 is therefore still affected. The automated affected_versions list includes 1.5.9 (the latest conda-forge version) and a representative sample of other conda-forge builds; the OSV range confirms all versions from 1.0.0 to 1.5.9 are affected, so the listed set is consistent with what conda-forge ships. The CVSS 4.0 score of 9.3 (CRITICAL) reflects real-world risk: the attack requires no authentication and achieves full code execution on the server, which is accurate for a server deployment of chromadb.

affected_versions

• agrees with auto match: ✅
• reasoning: The OSV ECOSYSTEM range specifies 'introduced: 1.0.0' and 'last_affected: 1.5.9', meaning all versions from 1.0.0 through 1.5.9 inclusive are affected. The conda-forge affected_versions list includes 1.5.9 (the latest conda-forge release) and 16 earlier conda-forge builds, all of which fall within this range. No conda-forge version outside the vulnerable range is listed, so no removals are suggested. No upstream fixed release exists yet, so no additions can be verified from conda-forge data.

runtime_applicability: yes — The vulnerable code path is in chromadb's own API endpoint handler for collection creation/configuration. The trust_remote_code parameter is processed at runtime when the ChromaDB server handles API requests. This is not a build-time-only dependency or an optional import path — it is core server functionality that executes whenever the server is running and receives a relevant API call.

severity_in_conda_context: same — The CVSS 4.0 score of 9.3 CRITICAL accurately reflects the risk in the conda context. ChromaDB is typically deployed as a server process, and the vulnerability allows unauthenticated remote code execution with no preconditions beyond network access to the API. The severity is not overstated or understated for conda-forge users running chromadb as a service.

notes: CVE-2026-45829 has a future-looking CVE year (2026), which may indicate the advisory was filed in advance or is from a future publication date. The 'affects_future: False' field suggests the match system does not expect new future versions to be auto-affected. The HiddenLayer research post (https://www.hiddenlayer.com/research/chromatoast-served-pre-auth) provides technical details. Deployments that never expose the ChromaDB HTTP API externally or that never set trust_remote_code=true have significantly reduced exposure, but the vulnerability is still present in the code. Human verification of whether a patched conda-forge release has been published since this assessment is strongly recommended.

• proposed action_statement: No fixed version of chromadb has been published as of this advisory. Users should disable or avoid enabling trust_remote_code=true in collection configurations, restrict network access to the ChromaDB API, and monitor the upstream repository ([Vulnerability ]: Python Backend Server Side RCE & Python Client SDK RCE chroma-core/chroma#6717) for a patched release. Upgrade to a fixed version once one becomes available on conda-forge.
• run file: mappings/cve_ai_drafts/2026-06-03T21-28-04-187495Z--f8ada6.json