CVE-2026-28563

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view.

Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-732

Related Identifiers

CVE-2026-28563

Affected Products

Apache Airflow

CVE-2026-28563

Weakness Enumeration

Related Identifiers

Affected Products

References · 3