CVE-2026-28563
Medium
Low
Medium
High
Critical
4.3
CVSS Score
Vulnerability Description
Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view.
Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
N
Attack Complexity
L
Privileges Required
L
User Interaction
N
Scope
U
Confidentiality
L
Integrity
N
Availability
N
Known Affected Software
14 configuration(s) from 1 vendor(s)
airflow
Version:
3.1.5
CPE:
cpe:2.3:a:apache:airflow:3.1.5:-:*:*:*:*:*:*
airflow
Version:
3.0.0
CPE:
cpe:2.3:a:apache:airflow:3.0.0:rc4:*:*:*:*:*:*
airflow
Version:
3.0.3
CPE:
cpe:2.3:a:apache:airflow:3.0.3:-:*:*:*:*:*:*
airflow
Version:
3.1.6
CPE:
cpe:2.3:a:apache:airflow:3.1.6:-:*:*:*:*:*:*
airflow
Version:
3.1.3
CPE:
cpe:2.3:a:apache:airflow:3.1.3:-:*:*:*:*:*:*
airflow
Version:
3.1.1
CPE:
cpe:2.3:a:apache:airflow:3.1.1:-:*:*:*:*:*:*
airflow
Version:
3.0.2
CPE:
cpe:2.3:a:apache:airflow:3.0.2:-:*:*:*:*:*:*
airflow
Version:
3.0.5
CPE:
cpe:2.3:a:apache:airflow:3.0.5:-:*:*:*:*:*:*
airflow
Version:
3.0.6
CPE:
cpe:2.3:a:apache:airflow:3.0.6:-:*:*:*:*:*:*
airflow
Version:
3.1.2
CPE:
cpe:2.3:a:apache:airflow:3.1.2:rc1:*:*:*:*:*:*
airflow
Version:
3.1.0
CPE:
cpe:2.3:a:apache:airflow:3.1.0:-:*:*:*:*:*:*
airflow
Version:
3.1.4
CPE:
cpe:2.3:a:apache:airflow:3.1.4:rc1:*:*:*:*:*:*
airflow
Version:
3.0.4
CPE:
cpe:2.3:a:apache:airflow:3.0.4:-:*:*:*:*:*:*
airflow
Version:
3.0.1
CPE:
cpe:2.3:a:apache:airflow:3.0.1:-:*:*:*:*:*:*
This vulnerability affects 14 software configuration(s). Ensure you patch all affected systems.
References & Resources
-
https://github.com/apache/airflow/pull/62046security@apache.org Issue Tracking Patch
-
https://lists.apache.org/thread/dwzf62qg9z8wvfsjknpfd8bvtwghd49ssecurity@apache.org Mailing List Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2026/03/17/5af854a3a-2127-422b-91ae-364da2661108 Mailing List Third Party Advisory
Severity Details
4.3
out of 10.0
Medium
Weakness Type (CWE)
CWE-732
Incorrect Permission Assignment for Critical Resource
- Description
- The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
- Exploit Likelihood
- High
- Typical Severity
- High
- Abstraction Level
- Class
Key Information
- Published Date
- March 17, 2026
