oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2026-28563: Apache Airflow: DAG authorization bypass

From: Rahul Vats <rahulvats () apache org>
Date: Tue, 17 Mar 2026 06:25:54 +0000
Severity: low 

Affected versions:

- Apache Airflow (apache-airflow) 3.0.0 before 3.1.8

Description:

Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without 
filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate 
DAGs they are not authorized to view.


Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

Credit:

Masamune - Unit515 OPSWAT (finder)
Shubham Raj (remediation developer)

References:

https://github.com/apache/airflow/pull/62046
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-28563
Previous By Date Next
Previous By Thread Next

Current thread: