Lucene search
K

6 matches found

PyPA
PyPA
added 2026/06/01 9:16 a.m.9 views

PYSEC-2026-174

Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at least one Dag. Apache Airflow's Log server authorized JWT tokens against Dag IDs by applying Python's str.lstrip to the requested path segment when verifying the JWT's sub...

3.1CVSS5.8AI score0.00344EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2026/06/01 9:16 a.m.13 views

PYSEC-0000-CVE-2026-45426

Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at least one Dag. Apache Airflow's Log server authorized JWT tokens against Dag IDs by applying Python's str.lstrip to the requested path segment when verifying the JWT's sub...

3.1CVSS5.8AI score0.00344EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/06/01 7:47 a.m.13 views

EUVD-2026-33585

Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at least one Dag. Apache Airflow's Log server authorized JWT tokens against Dag IDs by applying Python's str.lstrip to the requested path segment when verifying the JWT's sub...

3.1CVSS5.8AI score0.00344EPSS
Exploits0References2
OSV
OSV
added 2026/04/28 8:40 a.m.9 views

BIT-AIRFLOW-2026-40690 Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users

The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope. Users are...

4.3CVSS5.3AI score0.00352EPSS
Exploits0References4
CVE
CVE
added 2026/04/24 12:35 p.m.13 views

CVE-2026-40690

CVE-2026-40690 affects the asset dependency graph in Apache Airflow. The issue: the graph view did not enforce DAG read permissions , allowing a user with access to at least one DAG to discover the existence and names of other DAGs and assets across the deployment. Root cause per sources: lack of...

4.3CVSS5.2AI score0.00352EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/24 12:35 p.m.5 views

CVE-2026-40690 Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users

The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope. Users are...

5.2AI score0.00352EPSS
Exploits0References2
Rows per page
Query Builder