6.5

CVE-2026-24098

EPSS 0.01%
Veröffentlicht 09.02.2026 10:32:53
Zuletzt bearbeitet 11.03.2026 13:51:59
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors

Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. 

Users are advised to upgrade to 3.1.7 or later, which resolves this issue

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Airflow Version >= 3.0.0 < 3.1.7

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.026

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/apache/airflow/pull/60801

Patch

Issue Tracking

https://lists.apache.org/thread/nx96435v77xdst7ls5lk57kqvqyj095x

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2026/02/09/3

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2026-24098

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-24098

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-24098

EUVD