PT-2026-56179 · Apache · Apache Airflow

Jarek Potiuk

·

Published

2026-07-07

·

Updated

2026-07-07

·

CVE-2026-49296

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions apache-airflow versions prior to 3.3.0
Description An authorization bypass occurs when a user with permission to read a specific Dag can disclose the source code of other Dags located within the same source file. This issue affects deployments that co-locate multiple Dags in a single file and rely on per-DAG access control. The flaw exists in the GET /api/v2/dagSources/{dag id} endpoint and the corresponding Dag-source view in the UI, which return the entire source file without redacting unauthorized Dags. The dag id variable is used to identify the requested Dag.
Recommendations Upgrade to apache-airflow version 3.3.0 or later.

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-49296

Affected Products

Apache Airflow