CVE-2026-26929

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Apache Airflow versions 3.0.0 through 3.1.7

Description The FastAPI DagVersion listing API in Apache Airflow does not enforce per-DAG authorization filtering when a request is made with the dag id parameter set to '~' (wildcard for all DAGs). This allows the retrieval of version metadata for DAGs that the requesting user is not authorized to access.

Recommendations Upgrade to Apache Airflow version 3.1.8 or later.

Fix

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-732

Related Identifiers

BDU:2026-05612

BIT-AIRFLOW-2026-26929

CVE-2026-26929

GHSA-4M3H-WP5W-5HQH

PYSEC-2026-14

Affected Products

Apache Airflow

CVE-2026-26929

Weakness Enumeration

Related Identifiers

Affected Products

References · 14