Shubham Raj

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions 3.1.0 through 3.1.7 **Description** The `/ui/dependencies` endpoint in Apache Airflow returns the complete DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view. **Recommendations** Upgrade to Apache Airflow version 3.1.8 or later.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions 3.1.0 through 3.1.6 **Description** An authorization flaw exists in Apache Airflow that could allow an authenticated user with limited task permissions to view task logs without proper authorization. The issue affects systems where users have custom permissions restricting access to task logs, but still permit task access. **Recommendations** Upgrade to Apache Airflow version 3.1.7 or later.

Name of the Vulnerable Software and Affected Versions: Apache Airflow versions prior to 2.10.3 Description: The issue allows authenticated users with audit log access to see sensitive values in audit logs that they should not see. This occurs when sensitive variables are set via the Airflow CLI, resulting in the values being stored unencrypted in the Airflow database. The risk is limited to users with audit log access. Recommendations: For Apache Airflow versions prior to 2.10.3, upgrade to Airflow 2.10.3 or a later version to address this issue. Additionally, users who previously used the CLI to set secret variables should manually delete entries with those variables from the log table.