CVE-2026-24098

Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/apache/airflow/pull/60801	Issue Tracking Patch
https://lists.apache.org/thread/nx96435v77xdst7ls5lk57kqvqyj095x	Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/02/09/3	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-09 11:16

Updated : 2026-03-11 13:51

NVD link : CVE-2026-24098

Mitre link : CVE-2026-24098

CVE.ORG link : CVE-2026-24098

JSON object : View

Products Affected

apache

airflow

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2026-24098", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-02-09T11:16:14.660", "references": [{"url": "https://github.com/apache/airflow/pull/60801", "tags": ["Issue Tracking", "Patch"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/nx96435v77xdst7ls5lk57kqvqyj095x", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2026/02/09/3", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. \n\nUsers are advised to upgrade to 3.1.7 or later, which resolves this issue"}, {"lang": "es", "value": "Apache Airflow versiones anteriores a la 3.1.7, tiene una vulnerabilidad que permite a los usuarios autenticados de la interfaz de usuario (UI) con permiso para uno o m\u00e1s DAGs espec\u00edficos ver errores de importaci\u00f3n generados por otros DAGs a los que no ten\u00edan acceso.\n\nSe aconseja a los usuarios actualizar a la versi\u00f3n 3.1.7 o posterior, lo que resuelve este problema."}], "lastModified": "2026-03-11T13:51:59.417", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4C0114E8-30C3-477B-9AA9-2B388731C60A", "versionEndExcluding": "3.1.7", "versionStartIncluding": "3.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}