Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <1a91aaf9-b571-40c1-1a8c-081e1bda9612@apache.org>
Date: Sun, 31 May 2026 11:39:07 +0000
From: Rahul Vats <rahulvats@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-40963: Apache Airflow: DAG authorization bypass on
 /ui/structure/structure_data 

Severity: low 

Affected versions:

- Apache Airflow (apache-airflow) 3.0.0 before 3.2.2

Description:

The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping to keep Dag dependency topology private across teams. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.

Credit:

Masamune - Unit515 OPSWAT (finder)
Jarek Potiuk (remediation developer)

References:

https://github.com/apache/airflow/pull/65342
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-40963

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.