Pierre Jeambrun

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions prior to 3.2.2 **Description** The Event Log detail endpoint "GET /api/v2/eventLogs/{event log id}" fetches audit-log rows directly by numeric ID after performing only a generic Audit Log permission check. This differs from the collection endpoint "GET /api/v2/eventLogs", which applies per-Dag scoping. Consequently, an authenticated UI or API user with audit-log read permission for a single Dag can retrieve audit-log entries for any other Dag by guessing or enumerating the `event log id` variable. **Recommendations** Upgrade to version 3.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** Airflow versions prior to 3.2.0 **Description** A user with asset materialize permission via the UI or API can trigger DAGs (Directed Acyclic Graphs, which are collections of all the tasks you want to run, organized in a way that reflects their relationships) to which they do not have access. **Recommendations** Update to version 3.2.0.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions 3.0.0 through 3.1.7 **Description** The FastAPI DagVersion listing API in Apache Airflow does not enforce per-DAG authorization filtering when a request is made with the `dag id` parameter set to '~' (wildcard for all DAGs). This allows the retrieval of version metadata for DAGs that the requesting user is not authorized to access. **Recommendations** Upgrade to Apache Airflow version 3.1.8 or later.