oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2026-26929: Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata

From: Rahul Vats <rahulvats () apache org>
Date: Tue, 17 Mar 2026 06:25:12 +0000
Severity: low 

Affected versions:

- Apache Airflow (apache-airflow) 3.0.0 before 3.1.8

Description:

Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization 
filtering when the request is made with dag_id set to "~" (wildcard for all DAGs). As a result, version metadata of 
DAGs that the requester is not authorized to access is returned.


Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

Credit:

Pierre Jeambrun (remediation developer)

References:

https://github.com/apache/airflow/pull/61675
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-26929
Previous By Date Next
Previous By Thread Next

Current thread: