99 matches found
CVE-2026-40963
The structuredata endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other...
CVE-2026-40963
The structuredata endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other...
CVE-2026-40963 Apache Airflow: DAG authorization bypass on /ui/structure/structure_data
The structuredata endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other...
CVE-2026-40963
The structuredata endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other...
CVE-2026-40963 Apache Airflow: DAG authorization bypass on /ui/structure/structure_data
The structuredata endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other...
CVE-2026-40963
The CVE-2026-40963 issue affects the Apache Airflow UI’s /ui/structure/structure_data endpoint. It allows an authenticated user with access to one Dag to enumerate dependency graph nodes and related metadata for other Dags for which they lack read permissions, leaking topology across teams when p...
CVE-2026-42572 Hatchet: Cross-tenant information disclosure in `listTasksByDAGIds`
Hatchet is a platform for orchestrating background tasks, AI agents, and durable workflows at scale. Prior to 0.83.39, a missing authorization directive on the GET /api/v1/stable/dags/tasks endpoint caused Hatchet's tenant-membership check to be skipped for this route. A user authenticated to any...
EUVD-2026-30339
Hatchet is a platform for orchestrating background tasks, AI agents, and durable workflows at scale. Prior to 0.83.39, a missing authorization directive on the GET /api/v1/stable/dags/tasks endpoint caused Hatchet's tenant-membership check to be skipped for this route. A user authenticated to any...
CVE-2026-42572
Hatchet is a platform for orchestrating background tasks, AI agents, and durable workflows at scale. Prior to 0.83.39, a missing authorization directive on the GET /api/v1/stable/dags/tasks endpoint caused Hatchet's tenant-membership check to be skipped for this route. A user authenticated to any...
CVE-2026-42572
Hatchet’s CVE-2026-42572 describes a cross-tenant information disclosure in GET /api/v1/stable/dags/tasks due to a missing authorization directive. The underlying cause: the listTasksByDAGIds operation did not declare x-resources: ["tenant"], allowing a user authenticated to one tenant to supply ...
Insufficient Granularity of Access Control
Overview Affected versions of this package are vulnerable to Insufficient Granularity of Access Control in the /ui/dags endpoint, which fails to enforce per-DAG access control on embedded Human-in-the-Loop HITL and TaskInstance records. An attacker can access sensitive HITL prompts and TaskInstan...
Apache Airflow's authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance record
The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop HITL and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts including their request parameters and full TaskInstance details for DA...
CVE-2026-38743 Apache Airflow: Dags endpoint might provide access to otherwise inaccessible entities
The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop HITL and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts including their request parameters and full TaskInstance details for DA...
CVE-2026-38743 Apache Airflow: Dags endpoint might provide access to otherwise inaccessible entities
The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop HITL and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts including their request parameters and full TaskInstance details for DA...
CVE-2026-38743
The CVE-2026-38743 issue affects Apache Airflow’s authenticated /ui/dags endpoint, where per-DAG access control was not enforced for embedded HITL prompts and TaskInstance records. A user with read access to any DAG could access HITL prompts (including request parameters) and full TaskInstance de...
BIT-AIRFLOW-2026-32228 Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to
UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue...
CVE-2026-32228
UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue...
GHSA-H97W-PM3W-MWMC Apache Airflow allows users with asset materialize permissions to trigger DAGs outside of their permissions
UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue...
CVE-2026-32228
UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue...
CVE-2026-30898
An example of BashOperator in Airflow documentation suggested a way of passing dagrun.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should review if any of their own DAGs have adopted this incorrect advi...