CVE-2026-40690

EPSS 0.07%
Veröffentlicht 24.04.2026 12:35:33
Zuletzt bearbeitet 27.04.2026 12:24:56
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users

The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope.

Users are recommended to upgrade to version 3.2.1, which fixes this issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Airflow Version < 3.2.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.221

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-1220 Insufficient Granularity of Access Control

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.

https://github.com/apache/airflow/pull/65273

Patch

Issue Tracking

https://lists.apache.org/thread/bqt7y4g2cpj396b0sd20lv510ff19ndl

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2026/04/24/4

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2026-40690

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-40690

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-40690

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-40690