Lucene search
K

25 matches found

OSV
OSV
added 2026/06/05 5:40 a.m.8 views

BIT-AIRFLOW-2026-41014 Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints

The partitioneddagruns endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to...

4.3CVSS5.5AI score0.00352EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/02 10:3 p.m.17 views

CVE-2026-41014

The partitioneddagruns endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to...

4.3CVSS5.8AI score0.00352EPSS
Exploits0References1
PyPA
PyPA
added 2026/06/01 9:16 a.m.13 views

PYSEC-2026-182

The partitioneddagruns endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to...

4.3CVSS5.8AI score0.00352EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2026/06/01 9:16 a.m.11 views

PYSEC-0000-CVE-2026-41014

The partitioneddagruns endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to...

4.3CVSS5.8AI score0.00352EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/06/01 9:16 a.m.8 views

PYSEC-2026-182

The partitioneddagruns endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to...

4.3CVSS5.8AI score0.00352EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/06/01 7:53 a.m.12 views

CVE-2026-41014 Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints

The partitioneddagruns endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to...

5.8AI score0.00352EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/01 7:53 a.m.12 views

EUVD-2026-33595

The partitioneddagruns endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to...

5.8AI score0.00352EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/01 7:53 a.m.9 views

CVE-2026-41014

The partitioneddagruns endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to...

5.8AI score0.00352EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/06/01 7:53 a.m.38 views

CVE-2026-41014 Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints

The partitioneddagruns endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to...

0.00352EPSS
Exploits0References2
CVE
CVE
added 2026/06/01 7:53 a.m.30 views

CVE-2026-41014

Apache Airflow vulnerability CVE-2026-41014 affects the partitioned_dag_runs endpoints in the UI. The issue arises from enforcing only asset-level access control, enabling an authenticated UI/API user with global Asset:read permission to enumerate partition run state, schedule configuration, and ...

4.3CVSS5.8AI score0.00352EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/06/01 7:53 a.m.5 views

CVE-2026-41014 Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints

The partitioneddagruns endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to...

4.3CVSS6AI score0.00352EPSS
Exploits0References6
OSV
OSV
added 2026/06/01 7:51 a.m.3 views

CVE-2026-41084 Apache Airflow: API authorization bypass: bulk TaskInstances allows cross-DAG mutation

A bug in Apache Airflow's bulk Task Instances API PATCH/DELETE /api/v2/dags/dagid/dagRuns/dagrunid/taskInstances evaluated authorization against the dagid resolved from the URL path while operating on the dagid / dagrunid extracted from request-body entity fields. An authenticated UI/API user wit...

7.5CVSS6AI score0.00458EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/06/01 12:0 a.m.11 views

Apache Airflow 安全漏洞

Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. This platform features scalability and dynamic monitoring capabilities. However, Apache Airflow has security vulnerabilities. The...

4.3CVSS5.3AI score0.00352EPSS
Exploits0References4
Snyk
Snyk
added 2026/02/19 10:4 p.m.3 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the POST /api/v2/dag-runs endpoint, which accepts and executes inline YAML specifications without authentication in the default configuration. An attacker can execute arbitrary commands o...

9.8CVSS6.2AI score
Exploits0References3
Snyk
Snyk
added 2026/02/19 10:4 p.m.3 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the POST /api/v2/dag-runs endpoint, which accepts and executes inline YAML specifications without authentication in the default configuration. An attacker can execute arbitrary commands o...

9.8CVSS6.2AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/02/19 10:4 p.m.9 views

Dagu affected by unauthenticated RCE via inline DAG spec in default configuration

Summary Dagu's default configuration ships with authentication disabled. The POST /api/v2/dag-runs endpoint accepts an inline YAML spec and executes its shell commands immediately with no credentials required — any dagu instance reachable over the network is fully compromised by default. Details...

6AI score
Exploits0References2Affected Software1
OSV
OSV
added 2026/02/19 10:4 p.m.3 views

GHSA-6QR9-G2XW-CW92 Dagu affected by unauthenticated RCE via inline DAG spec in default configuration

Summary Dagu's default configuration ships with authentication disabled. The POST /api/v2/dag-runs endpoint accepts an inline YAML spec and executes its shell commands immediately with no credentials required — any dagu instance reachable over the network is fully compromised by default. Details...

9.8CVSS6AI score
Exploits0References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2022-0007

Malicious code in bioql PyPI...

6.5CVSS6.5AI score0.01709EPSS
Exploits0References4
CNNVD
CNNVD
added 2023/09/12 12:0 a.m.4 views

Apache Airflow 安全漏洞

Apache Airflow is the United States Apache Apache Foundation's set of open source platform for creating, managing and monitoring workflow. The platform is scalable and dynamic monitoring and other characteristics. Apache Airflow versions prior to 2.7.1 have an authorization issue vulnerability th...

4.3CVSS7AI score0.01305EPSS
Exploits0References4
OSV
OSV
added 2022/01/28 9:55 p.m.19 views

GHSA-4JH2-3C85-Q67H Improper Privilege Management in apache-airflow

In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has "cancreate" permissions on DAG Runs can create Dag Runs for dags that they don't have "edit" permissions for...

6.5CVSS6.3AI score0.01709EPSS
Exploits0References3
Rows per page
Query Builder