CVE-2026-24098
Information Disclosure in Apache Airflow UI via DAG Import Errors
Publication date: 2026-02-09
Last updated on: 2026-03-11
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | airflow | From 3.0.0 (inc) to 3.1.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Users are advised to upgrade Apache Airflow to version 3.1.7 or later, which resolves this issue.
Can you explain this vulnerability to me?
Apache Airflow versions before 3.1.7 have a vulnerability that allows authenticated users who have permission to access one or more specific Directed Acyclic Graphs (Dags) in the UI to view import errors generated by other Dags they do not have permission to access.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of information about other Dags in the system, potentially exposing sensitive error details to users who should not have access to them.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know