CVE-2026-40963

The structuredata endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other...

CVE-2026-41014 Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints

The partitioneddagruns endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to...

Malicious code in apache-airflow-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e6c372df22c9d32de9b2be3a877474b47fc253abc67f5b69d611ebc9640559fe Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2024-11941 Malicious code in apache-airflow-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e6c372df22c9d32de9b2be3a877474b47fc253abc67f5b69d611ebc9640559fe Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

PYSEC-2022-42981

A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed for example when they were depending on past and previous instances of the task failed. This issue affects Apache Airflow prior to 2.3.1...