CVE-2026-26929
Authorization Bypass in Apache Airflow FastAPI DagVersion API
Publication date: 2026-03-17
Last updated on: 2026-03-17
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | airflow | From 3.0.0 (inc) to 3.1.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-26929 is a security vulnerability in Apache Airflow versions 3.0.0 through 3.1.7 affecting the FastAPI DagVersion listing API. When a request is made with the dag_id parameter set to "~" (a wildcard representing all DAGs), the API does not apply per-DAG authorization filtering. This means that the API can return version metadata for DAGs that the requester is not authorized to access.'}, {'type': 'paragraph', 'content': "The issue arises because the API endpoint responsible for listing DAG versions fails to properly filter the results based on the user's permissions, potentially exposing sensitive information about DAG versions that should be restricted."}] [2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of DAG version metadata in Apache Airflow. An attacker or unauthorized user could gain access to information about DAG versions that they should not be able to see.
Such unauthorized information disclosure could potentially aid attackers in understanding the workflows and processes managed by Airflow, which might be leveraged for further attacks or exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves the Apache Airflow FastAPI DagVersion listing API returning DAG version metadata without proper per-DAG authorization filtering when the request uses dag_id set to "~" (wildcard for all DAGs).'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can attempt to query the Airflow API endpoint responsible for listing DAG versions with the dag_id parameter set to "~" and observe if version metadata for unauthorized DAGs is returned.'}, {'type': 'paragraph', 'content': 'A possible command using curl to test this might be:'}, {'type': 'list_item', 'content': 'curl -X GET "http://<airflow-host>/api/v1/dags/~/dagVersions" -H "Authorization: Bearer <token>"'}, {'type': 'paragraph', 'content': 'If the response includes DAG versions for DAGs that the authenticated user should not have access to, the system is vulnerable.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation step is to upgrade Apache Airflow to version 3.1.8 or later, where this vulnerability has been fixed.
The fix enforces proper permission checks on the DAG version listing API to ensure that only authorized DAG versions are returned to the user.