PT-2026-56179 · Apache · Apache Airflow
Jarek Potiuk
·
Published
2026-07-07
·
Updated
2026-07-07
·
CVE-2026-49296
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
apache-airflow versions prior to 3.3.0
Description
An authorization bypass occurs when a user with permission to read a specific Dag can disclose the source code of other Dags located within the same source file. This issue affects deployments that co-locate multiple Dags in a single file and rely on per-DAG access control. The flaw exists in the
GET /api/v2/dagSources/{dag id} endpoint and the corresponding Dag-source view in the UI, which return the entire source file without redacting unauthorized Dags. The dag id variable is used to identify the requested Dag.Recommendations
Upgrade to apache-airflow version 3.3.0 or later.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Airflow