8 matches found
PT-2026-56177
Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.3.0 Description A bug in the /ui/dependencies scheduling graph endpoint allows an authenticated UI user with read permissions on some Dags to enumerate identifiers of other Dags they are not authorized to rea...
EUVD-2026-12564
Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view. Users are recommended to...
Apache Airflow: DAG authorization bypass
Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view. Users are recommended to...
GHSA-X3FV-96QH-67M7 Apache Airflow: DAG authorization bypass
Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view. Users are recommended to...
CVE-2026-28563
CVE-2026-28563 affects Apache Airflow, versions 3.1.0–3.1.7. The /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs, allowing an authenticated user with only the DAG Dependencies permission to enumerate DAGs they are not authorized to view. Roo...
CVE-2026-28563
Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view. Users are recommended to...
CVE-2026-28563 Apache Airflow: DAG authorization bypass
Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view. Users are recommended to...
PT-2026-25892
Name of the Vulnerable Software and Affected Versions Apache Airflow versions 3.1.0 through 3.1.7 Description The /ui/dependencies endpoint in Apache Airflow returns the complete DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG...