CVE-2026-26929

Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to "~" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/apache/airflow/pull/61675	Issue Tracking
https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/03/17/4	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-17 11:16

Updated : 2026-03-17 16:16

NVD link : CVE-2026-26929

Mitre link : CVE-2026-26929

CVE.ORG link : CVE-2026-26929

JSON object : View

Products Affected

apache

airflow

CWE

CWE-732

Incorrect Permission Assignment for Critical Resource

{"id": "CVE-2026-26929", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-03-17T11:16:11.490", "references": [{"url": "https://github.com/apache/airflow/pull/61675", "tags": ["Issue Tracking"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/17/4", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-732"}]}], "descriptions": [{"lang": "en", "value": "Apache Airflow versions 3.0.0 through 3.1.7\u00a0FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to \"~\" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned.\n\n\nUsers are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue."}, {"lang": "es", "value": "Las versiones 3.0.0 a 3.1.7 de Apache Airflow: la API de listado de DagVersion de FastAPI no aplica el filtrado de autorizaci\u00f3n por DAG cuando la solicitud se realiza con dag_id establecido en '~' (comod\u00edn para todos los DAGs). Como resultado, se devuelven los metadatos de versi\u00f3n de los DAGs a los que el solicitante no est\u00e1 autorizado a acceder.\n\nSe recomienda a los usuarios actualizar a Apache Airflow 3.1.8 o posterior, lo que resuelve este problema."}], "lastModified": "2026-03-17T16:16:20.530", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A355B3D5-BAA7-4680-879B-55D6E3D52D68", "versionEndExcluding": "3.1.8", "versionStartIncluding": "3.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}