Insufficient Granularity of Access Control

Overview Affected versions of this package are vulnerable to Insufficient Granularity of Access Control in the asset dependency graph. An attacker can gain unauthorized access to the existence and names of DAGs and assets outside their authorized scope by leveraging read access to at least one DA...

Apache Airflow 安全漏洞

Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. This platform features scalability and dynamic monitoring capabilities. There is a security vulnerability in Apache Airflow, whic...

PT-2026-25892

Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view. Users are recommended to...

PYSEC-2026-12

Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue...

GHSA-6V6W-H8M6-7MV2 Apache Airflow: DAG Code and Import Error Permissions Ignored

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk...

The vulnerability of the Apache Airflow network software, related to the exposure of protected information, allows attackers to view warnings related to all DAGs in Airflow.

The vulnerability of the Apache Airflow network software relates to the exposure of protected information. Exploiting this vulnerability allows a malicious actor to monitor all DAGs in Airflow...

GHSA-R7X6-XFCM-3MXV Apache Airflow vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. This is a different issue than CVE-2023-42663 but leading to similar outcome. Users of Apache Airflow are...

PT-2023-6909 · Apache · Apache Airflow

Name of the Vulnerable Software and Affected Versions: Apache Airflow versions prior to 2.7.3 Description: The issue is related to insufficient protection of internal data in Apache Airflow, allowing an authorized user with limited access to read specific DAGs to also read information about task...

Information Disclosure

Apache Airflow is vulnerable to Information Disclosure. The vulnerability is due to a flaw that permits authenticated users to list warnings for all Directed Acyclic Graphs DAG's regardless of their permissions to access such DAG's. This leads to exposure of sensitive information such as dagids a...

PYSEC-2023-197

Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated wit...

PYSEC-2023-203

Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to...

PYSEC-2023-202

Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dagids and the stack-traces of import errors for those DAGs with import...

Apache Airflow Command Injection (CVE-2022-24288)

A command injection vulnerability exists in Apache Airflow. This vulnerability is due to improper input validation for parameters for directed acyclic graphs DAGs...

GHSA-3V7G-4PG3-7R6J OS Command injection in Apache Airflow

In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI...