PT-2026-25892 · Apache · Apache Airflow
Shubham Raj
·
Published
2026-03-17
·
Updated
2026-03-18
·
CVE-2026-28563
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Airflow versions 3.1.0 through 3.1.7
Description
The
/ui/dependencies endpoint in Apache Airflow returns the complete DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view.Recommendations
Upgrade to Apache Airflow version 3.1.8 or later.
Fix
Incorrect Permission
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Airflow