Follow @Openwall on Twitter for new release announcements and other news
[<prev] [day] [month] [year] [list] 
Message-ID: <ff08e4eb-e2c3-6f56-6156-09567fbf869c@apache.org>
Date: Fri, 24 Apr 2026 12:24:03 +0000
From: Rahul Vats <rahulvats@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-40690: Apache Airflow: Assets graph view bypasses DAG
 level access control displaying unrelated topologies and all DAGs names to
 unauthorized users 

Severity: low 

Affected versions:

- Apache Airflow (apache-airflow) before 3.2.1

Description:

The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope.

Users are recommended to upgrade to version 3.2.1, which fixes this issue.

Credit:

Saurabh (finder)
Jarek Potiuk (remediation developer)

References:

https://github.com/apache/airflow/pull/65273
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-40690

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.