CVE-2026-26929
Received Received - Intake
Authorization Bypass in Apache Airflow FastAPI DagVersion API

Publication date: 2026-03-17

Last updated on: 2026-03-17

Assigner: Apache Software Foundation

Description
Apache Airflow versions 3.0.0 through 3.1.7Β FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to "~" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-17
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26929
EUVD
EUVD-2026-12562
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache airflow From 3.0.0 (inc) to 3.1.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-26929 is a security vulnerability in Apache Airflow versions 3.0.0 through 3.1.7 affecting the FastAPI DagVersion listing API. When a request is made with the dag_id parameter set to "~" (a wildcard representing all DAGs), the API does not apply per-DAG authorization filtering. This means that the API can return version metadata for DAGs that the requester is not authorized to access.'}, {'type': 'paragraph', 'content': "The issue arises because the API endpoint responsible for listing DAG versions fails to properly filter the results based on the user's permissions, potentially exposing sensitive information about DAG versions that should be restricted."}] [2]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of DAG version metadata in Apache Airflow. An attacker or unauthorized user could gain access to information about DAG versions that they should not be able to see.

Such unauthorized information disclosure could potentially aid attackers in understanding the workflows and processes managed by Airflow, which might be leveraged for further attacks or exploitation.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves the Apache Airflow FastAPI DagVersion listing API returning DAG version metadata without proper per-DAG authorization filtering when the request uses dag_id set to "~" (wildcard for all DAGs).'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can attempt to query the Airflow API endpoint responsible for listing DAG versions with the dag_id parameter set to "~" and observe if version metadata for unauthorized DAGs is returned.'}, {'type': 'paragraph', 'content': 'A possible command using curl to test this might be:'}, {'type': 'list_item', 'content': 'curl -X GET "http://<airflow-host>/api/v1/dags/~/dagVersions" -H "Authorization: Bearer <token>"'}, {'type': 'paragraph', 'content': 'If the response includes DAG versions for DAGs that the authenticated user should not have access to, the system is vulnerable.'}] [2]

Mitigation Strategies

The recommended immediate mitigation step is to upgrade Apache Airflow to version 3.1.8 or later, where this vulnerability has been fixed.

The fix enforces proper permission checks on the DAG version listing API to ensure that only authorized DAG versions are returned to the user.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26929. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart