Vulnerability-Lookup

CVE-2026-26929 (GCVE-0-2026-26929)

Vulnerability from cvelistv5 – Published: 2026-03-17 10:54 – Updated: 2026-03-17 15:40

Title

Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata

Summary

Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to "~" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

Severity

No CVSS data available.

CWE

CWE-732 - Incorrect Permission Assignment for Critical Resource

Assigner

apache

References

2 references

URL	Tags
https://github.com/apache/airflow/pull/61675	patch
https://lists.apache.org/thread/g5o6khx83jwqvdyn0…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Airflow	Affected: 3.0.0 , < 3.1.8 (semver)

Credits

Pierre Jeambrun

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-03-17T13:31:59.997Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/17/4"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-26929",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-17T15:40:34.971798Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-17T15:40:38.428Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.python.org",
          "defaultStatus": "unaffected",
          "packageName": "apache-airflow",
          "product": "Apache Airflow",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "3.1.8",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Pierre Jeambrun"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Apache Airflow versions 3.0.0 through 3.1.7\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to \"~\" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "Apache Airflow versions 3.0.0 through 3.1.7\u00a0FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to \"~\" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned.\n\n\nUsers are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-732",
              "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-17T10:54:05.523Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/airflow/pull/61675"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Airflow: Wildcard DagVersion Listing Bypasses Per\u2011DAG RBAC and Leaks Metadata",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-26929",
    "datePublished": "2026-03-17T10:54:05.523Z",
    "dateReserved": "2026-02-16T12:58:50.649Z",
    "dateUpdated": "2026-03-17T15:40:38.428Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-26929",
      "date": "2026-05-26",
      "epss": "0.00054",
      "percentile": "0.16979"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-26929\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2026-03-17T11:16:11.490\",\"lastModified\":\"2026-03-17T16:16:20.530\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Apache Airflow versions 3.0.0 through 3.1.7\u00a0FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to \\\"~\\\" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned.\\n\\n\\nUsers are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-732\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.1.8\",\"matchCriteriaId\":\"A355B3D5-BAA7-4680-879B-55D6E3D52D68\"}]}]}],\"references\":[{\"url\":\"https://github.com/apache/airflow/pull/61675\",\"source\":\"security@apache.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/03/17/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/03/17/4\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-03-17T13:31:59.997Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-26929\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-17T15:40:34.971798Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-17T13:37:34.145Z\"}}], \"cna\": {\"title\": \"Apache Airflow: Wildcard DagVersion Listing Bypasses Per\\u2011DAG RBAC and Leaks Metadata\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Pierre Jeambrun\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"low\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Airflow\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"3.1.8\", \"versionType\": \"semver\"}], \"packageName\": \"apache-airflow\", \"collectionURL\": \"https://pypi.python.org\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/apache/airflow/pull/61675\", \"tags\": [\"patch\"]}, {\"url\": \"https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Apache Airflow versions 3.0.0 through 3.1.7\\u00a0FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to \\\"~\\\" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned.\\n\\n\\nUsers are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Apache Airflow versions 3.0.0 through 3.1.7\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to \\\"~\\\" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-732\", \"description\": \"CWE-732 Incorrect Permission Assignment for Critical Resource\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2026-03-17T10:54:05.523Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-26929\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-17T15:40:38.428Z\", \"dateReserved\": \"2026-02-16T12:58:50.649Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2026-03-17T10:54:05.523Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

bit-airflow-2026-26929

Vulnerability from bitnami_vulndb

Published

2026-03-18 08:39

Modified

2026-03-18 09:23

Summary

Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata

Details

Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "airflow",
        "purl": "pkg:bitnami/airflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.8"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26929"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
  },
  "details": "Apache Airflow versions 3.0.0 through 3.1.7\u00a0FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to \"~\" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned.\n\n\nUsers are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.",
  "id": "BIT-airflow-2026-26929",
  "modified": "2026-03-18T09:23:06.258Z",
  "published": "2026-03-18T08:39:27.056Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/03/17/4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/pull/61675"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26929"
    }
  ],
  "schema_version": "1.6.2",
  "summary": "Apache Airflow: Wildcard DagVersion Listing Bypasses Per\u2011DAG RBAC and Leaks Metadata"
}

CNVD-2026-15159

Vulnerability from cnvd - Published: 2026-03-27

Title

Apache Airflow信息泄露漏洞（CNVD-2026-15159）

Description

Apache Airflow是美国阿帕奇（Apache）基金会的一套具有创建、管理和监控工作流程功能的开源平台。该平台具有可扩展和动态监控等特点。 Apache Airflow存在信息泄露漏洞，该漏洞源于FastAPI DagVersion列表API在请求使用通配符dag_id时未应用每DAG授权过滤，攻击者可利用该漏洞导致返回请求者无权访问的DAG的版本元数据。

Severity

中

Patch Name

Apache Airflow信息泄露漏洞（CNVD-2026-15159）的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://airflow.apache.org/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2026-26929

Impacted products

Name
Apache Airflow >=3.0.0，<3.1.8

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2026-26929",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2026-26929"
    }
  },
  "description": "Apache Airflow\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u5177\u6709\u521b\u5efa\u3001\u7ba1\u7406\u548c\u76d1\u63a7\u5de5\u4f5c\u6d41\u7a0b\u529f\u80fd\u7684\u5f00\u6e90\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u5177\u6709\u53ef\u6269\u5c55\u548c\u52a8\u6001\u76d1\u63a7\u7b49\u7279\u70b9\u3002\n\n Apache Airflow\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eFastAPI DagVersion\u5217\u8868API\u5728\u8bf7\u6c42\u4f7f\u7528\u901a\u914d\u7b26dag_id\u65f6\u672a\u5e94\u7528\u6bcfDAG\u6388\u6743\u8fc7\u6ee4\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u8fd4\u56de\u8bf7\u6c42\u8005\u65e0\u6743\u8bbf\u95ee\u7684DAG\u7684\u7248\u672c\u5143\u6570\u636e\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://airflow.apache.org/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-15159",
  "openTime": "2026-03-27",
  "patchDescription": "Apache Airflow\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u5177\u6709\u521b\u5efa\u3001\u7ba1\u7406\u548c\u76d1\u63a7\u5de5\u4f5c\u6d41\u7a0b\u529f\u80fd\u7684\u5f00\u6e90\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u5177\u6709\u53ef\u6269\u5c55\u548c\u52a8\u6001\u76d1\u63a7\u7b49\u7279\u70b9\u3002\r\n\r\n Apache Airflow\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eFastAPI DagVersion\u5217\u8868API\u5728\u8bf7\u6c42\u4f7f\u7528\u901a\u914d\u7b26dag_id\u65f6\u672a\u5e94\u7528\u6bcfDAG\u6388\u6743\u8fc7\u6ee4\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u8fd4\u56de\u8bf7\u6c42\u8005\u65e0\u6743\u8bbf\u95ee\u7684DAG\u7684\u7248\u672c\u5143\u6570\u636e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Airflow\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2026-15159\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Airflow \u003e=3.0.0\uff0c\u003c3.1.8"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2026-26929",
  "serverity": "\u4e2d",
  "submitTime": "2026-03-19",
  "title": "Apache Airflow\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2026-15159\uff09"
}

FKIE_CVE-2026-26929

Vulnerability from fkie_nvd - Published: 2026-03-17 11:16 - Updated: 2026-03-17 16:16

Severity

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security@apache.org	https://github.com/apache/airflow/pull/61675	Issue Tracking
security@apache.org	https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2026/03/17/4	Mailing List, Third Party Advisory

Impacted products

	Vendor	Product	Version
	apache	airflow	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A355B3D5-BAA7-4680-879B-55D6E3D52D68",
              "versionEndExcluding": "3.1.8",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Apache Airflow versions 3.0.0 through 3.1.7\u00a0FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to \"~\" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned.\n\n\nUsers are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue."
    },
    {
      "lang": "es",
      "value": "Las versiones 3.0.0 a 3.1.7 de Apache Airflow: la API de listado de DagVersion de FastAPI no aplica el filtrado de autorizaci\u00f3n por DAG cuando la solicitud se realiza con dag_id establecido en \u0027~\u0027 (comod\u00edn para todos los DAGs). Como resultado, se devuelven los metadatos de versi\u00f3n de los DAGs a los que el solicitante no est\u00e1 autorizado a acceder.\n\nSe recomienda a los usuarios actualizar a Apache Airflow 3.1.8 o posterior, lo que resuelve este problema."
    }
  ],
  "id": "CVE-2026-26929",
  "lastModified": "2026-03-17T16:16:20.530",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-17T11:16:11.490",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/apache/airflow/pull/61675"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2026/03/17/4"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-732"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    }
  ]
}

GHSA-4M3H-WP5W-5HQH

Vulnerability from github – Published: 2026-03-17 12:30 – Updated: 2026-03-18 16:19

Summary

Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata

Details

Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

Severity

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-airflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26929"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-732"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T16:19:16Z",
    "nvd_published_at": "2026-03-17T11:16:11Z",
    "severity": "HIGH"
  },
  "details": "Apache Airflow versions 3.0.0 through 3.1.7\u00a0FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to \"~\" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned.\n\n\nUsers are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.",
  "id": "GHSA-4m3h-wp5w-5hqh",
  "modified": "2026-03-18T16:19:16Z",
  "published": "2026-03-17T12:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26929"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/pull/61675"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/airflow"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/03/17/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Airflow: Wildcard DagVersion Listing Bypasses Per\u2011DAG RBAC and Leaks Metadata"
}

PYSEC-2026-14

Vulnerability from pysec - Published: 2026-03-17 11:16 - Updated: 2026-05-20 09:18

Details

Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

Severity

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Impacted products

Name	purl
apache-airflow	pkg:pypi/apache-airflow

Aliases

CVE-2026-26929

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-airflow",
        "purl": "pkg:pypi/apache-airflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.0.0",
        "3.0.1",
        "3.0.1rc1",
        "3.0.2",
        "3.0.2rc1",
        "3.0.2rc2",
        "3.0.3",
        "3.0.3rc1",
        "3.0.3rc2",
        "3.0.3rc3",
        "3.0.3rc4",
        "3.0.3rc5",
        "3.0.3rc6",
        "3.0.4",
        "3.0.4rc1",
        "3.0.4rc2",
        "3.0.5",
        "3.0.5rc1",
        "3.0.5rc2",
        "3.0.5rc3",
        "3.0.6",
        "3.0.6rc1",
        "3.0.6rc2",
        "3.1.0",
        "3.1.0b1",
        "3.1.0b2",
        "3.1.0rc1",
        "3.1.0rc2",
        "3.1.1",
        "3.1.1rc1",
        "3.1.1rc2",
        "3.1.2",
        "3.1.2rc1",
        "3.1.2rc2",
        "3.1.3",
        "3.1.3rc1",
        "3.1.4",
        "3.1.4rc1",
        "3.1.4rc2",
        "3.1.5",
        "3.1.5rc1",
        "3.1.6",
        "3.1.6rc1",
        "3.1.7",
        "3.1.7rc1",
        "3.1.7rc2",
        "3.1.8rc1",
        "3.1.8rc2"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26929"
  ],
  "details": "Apache Airflow versions 3.0.0 through 3.1.7\u00a0FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to \"~\" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned.\n\n\nUsers are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.",
  "id": "PYSEC-2026-14",
  "modified": "2026-05-20T09:18:52.919417Z",
  "published": "2026-03-17T11:16:11.490Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "http://www.openwall.com/lists/oss-security/2026/03/17/4"
    },
    {
      "type": "ADVISORY",
      "url": "https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/apache/airflow/pull/61675"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-26929 (GCVE-0-2026-26929)

bit-airflow-2026-26929

Vulnerability from bitnami_vulndb

CNVD-2026-15159

FKIE_CVE-2026-26929

GHSA-4M3H-WP5W-5HQH

PYSEC-2026-14

Tags

Sightings

Nomenclature