CVE-2026-38743

Name of the Vulnerable Software and Affected Versions Airflow versions prior to 3.2.1

Description The authenticated '/ui/dags' endpoint fails to enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance records. This allows a logged-in user with read access to at least one DAG to retrieve HITL prompts, including their request parameters, and full TaskInstance details for DAGs outside their authorized scope. Since HITL prompts and TaskInstance fields often contain operator parameters and free-form context, this issue expands the visibility of DAG-run data beyond the intended Role-Based Access Control (RBAC) boundaries for all authenticated users.

Recommendations Upgrade to version 3.2.1.