CVE-2026-26929

Name of the Vulnerable Software and Affected Versions Apache Airflow versions 3.0.0 through 3.1.7

Description The FastAPI DagVersion listing API in Apache Airflow does not enforce per-DAG authorization filtering when a request is made with the dag id parameter set to '~' (wildcard for all DAGs). This allows the retrieval of version metadata for DAGs that the requesting user is not authorized to access.

Recommendations Upgrade to Apache Airflow version 3.1.8 or later.