CVE-2026-40963

Name of the Vulnerable Software and Affected Versions apache-airflow versions prior to 3.2.2

Description The 'structure data' endpoint in the Airflow UI fails to verify if the caller has read permissions for linked DAGs (Directed Acyclic Graphs, which are collections of all the tasks you want to run, organized in a way that reflects their relationships and dependencies). Consequently, an authenticated UI or API user with authorization for one DAG can enumerate linked DAG IDs and dependency metadata for other DAGs they are not authorized to access. This issue impacts deployments using per-DAG read scoping to maintain the privacy of DAG dependency topology across different teams.

Recommendations Upgrade to version 3.2.2 or later.