CVE-2026-46764

🗓️ 01 Jun 2026 07:45:48Reported by apacheType

cve🔗 web.nvd.nist.gov👁 9 Views🌐 WEB

Event Log detail endpoint bypasses per-Dag audit-log scope, enabling access to all DAG logs by ID; upgrade to Airflow 3.2.2 or later.

Reporter	Title	Published	Views	Family All 9
ATTACKERKB	CVE-2026-46764	1 Jun 202607:45	–	attackerkb
Circl	CVE-2026-46764	31 May 202613:47	–	circl
CNNVD	Apache Airflow security vulnerabilities	1 Jun 202600:00	–	cnnvd
Cvelist	CVE-2026-46764 Apache Airflow: Event Log detail endpoint bypasses DAG-scoped event log permission filter	1 Jun 202607:45	–	cvelist
EUVD	EUVD-2026-33584	1 Jun 202607:45	–	euvd
NVD	CVE-2026-46764	1 Jun 202609:16	–	nvd
Positive Technologies	PT-2026-45378	1 Jun 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-46764	2 Jun 202622:03	–	redhatcve
Vulnrichment	CVE-2026-46764 Apache Airflow: Event Log detail endpoint bypasses DAG-scoped event log permission filter	1 Jun 202607:45	–	vulnrichment

NVD

Vulners

Node

apache airflowRange<3.2.2

[
  {
    "collectionURL": "https://pypi.python.org",
    "defaultStatus": "unaffected",
    "packageName": "apache-airflow",
    "product": "Apache Airflow",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "3.2.2",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
lists	www.lists.apache.org/thread/ctrbj7q3m86g4qxmo9ponojgmzrcoqpv
github	www.github.com/apache/airflow/pull/67112
openwall	www.openwall.com/lists/oss-security/2026/05/31/14

Parameter	Position	Path	Description	CWE
event_log_id	path	/api/v2/eventLogs/{event_log_id}	Unauthenticated or inadequately scoped access to audit-log detail by guessing numeric event_log_id, bypassing per-Dag scoping in the detail endpoint.	CWE-639

02 Jun 2026 17:16Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.14.3

EPSS0.00045

SSVC

CWE-639