Alex Liotta

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions 2.8.0 through 2.8.2 **Description** The issue is related to insufficient access control in Apache Airflow, allowing an authenticated user with limited permissions to access resources such as variables, connections, etc. from the UI, which they do not have permission to access. This could potentially allow a remote attacker to gain unauthorized access to resources. **Recommendations** For Apache Airflow versions 2.8.0 through 2.8.2, upgrade to version 2.8.3 or newer to mitigate the risk associated with this issue.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions prior to 2.8.2 **Description** The issue allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. This is related to the disclosure of information in the error data area. Exploitation of the issue may allow a remote attacker to access the source code of DAGs. **Recommendations** For Apache Airflow versions prior to 2.8.2, upgrade to version 2.8.2 or newer to mitigate the risk associated with this issue. As a temporary workaround, consider restricting access to the API and UI for authenticated users until a patch is available.