airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +38 more potentially affected by CVE-2026-38743 via apache-airflow-core (>=3.0.0 <=3.2.1)

apache-airflow-core PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =3.12.0rc1 and more Source cves: CVE-2026-38743 Source advisory: SNYK:PYTHON-APACHEAIRFLOWCORE-16425769...

abi-ds-utils (=1.0.1), acceldata-o2a (=1.0.0) +162 more potentially affected by CVE-2026-38743 via apache-airflow (>=1.8.2 <=3.2.1)

apache-airflow PYPI version =1.8.2, =0.8.44.4, =1.4.0.3.post4, =1.4.0.3.post3, =0.1.0rc3, =0.1.0, =0.2.1, =0.2.9b1, =0.4.0, =0.1.0a1, =0.6.0, =1.6.0 and more Source cves: CVE-2026-38743 Source advisory: OSV:GHSA-P3V3-229H-MC63...

CVE-2026-38743

The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop HITL and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts including their request parameters and full TaskInstance details for DA...