CVE-2026-26929

MEDIUM

Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata

Title source: cna

Description

Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to "~" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

References (3)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2026/03/17/4

[Patch] https://github.com/apache/airflow/pull/61675

[Vendor Advisory] https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss

Scores

CVSS v3 6.5

EPSS 0.0006

EPSS Percentile 19.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-732

Status published

Products (3)

apache/airflow 3.0.0 - 3.1.8

Apache Software Foundation/Apache Airflow 3.0.0 - 3.1.8

pypi/apache-airflow 3.0.0 - 3.1.8PyPI

Published Mar 17, 2026

Tracked Since Mar 17, 2026