oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2026-24098: Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors

From: Ephraim Anierobi <ephraimanierobi () apache org>
Date: Mon, 09 Feb 2026 09:49:08 +0000
Severity: low 

Affected versions:

- Apache Airflow (apache-airflow) before 3.1.7

Description:

Apache Airflow versions before 3.1.7, has vulnerability that allows authenticated UI users with permission to one or 
more specific Dags to view import errors generated by other Dags they did not have access to. 

Users are advised to upgrade to 3.1.7 or later, which resolves this issue

Credit:

Saurabh (finder)

References:

https://github.com/apache/airflow/pull/60801
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-24098
Previous By Date Next
Previous By Thread Next

Current thread: