CVE-2026-41014
Airflow UI Partitioned DAG Runs Information Disclosure
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | apache_airflow | From 3.2.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-41014 vulnerability in Apache Airflow involves insufficient authorization checks in the partitioned_dag_runs endpoints of the Airflow UI and API.
Specifically, these endpoints enforced only asset-level access control rather than per-DAG authorization. This means that an authenticated user with global Asset:read permission could access metadata such as partition run state, schedule configuration, and asset wiring for DAGs they were not authorized to read.
The issue affects deployments that rely on restricting read access on a per-DAG basis while granting users broader asset access.
The vulnerability was fixed by adding per-DAG authorization checks, ensuring users can only access partitioned DAG runs for DAGs they are explicitly authorized to view.
How can this vulnerability impact me? :
This vulnerability can allow an authenticated user with broad asset read permissions to view sensitive metadata about DAGs they should not have access to.
Such unauthorized access could lead to information disclosure about the state, schedule, and wiring of DAGs, potentially exposing operational details or business logic that should remain confidential.
If your deployment relies on per-DAG read restrictions for security or compliance reasons, this vulnerability undermines those controls and could increase the risk of insider threats or data leakage.
Users are advised to upgrade to Apache Airflow version 3.2.2 or later to mitigate this risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves insufficient authorization checks on the /ui/partitioned_dag_runs and /ui/pending_partitioned_dag_run/{dag_id}/{partition_key} endpoints in Apache Airflow. Detection would involve verifying if these endpoints allow access to DAG metadata without proper per-DAG authorization.
To detect exploitation attempts or presence of the vulnerability, you can monitor access logs for requests to these endpoints from users who should not have access to certain DAGs.
Specific commands are not provided in the resources, but you can use tools like curl or HTTP clients to test access control, for example:
- curl -i -H "Authorization: Bearer <token>" https://<airflow-host>/ui/partitioned_dag_runs
- curl -i -H "Authorization: Bearer <token>" https://<airflow-host>/ui/pending_partitioned_dag_run/<dag_id>/<partition_key>
If these commands return metadata for DAGs the user should not have access to, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Apache Airflow to version 3.2.2 or later, where the vulnerability has been fixed by adding proper per-DAG authorization checks.
This fix enforces per-DAG access control on the affected endpoints, preventing unauthorized users from enumerating DAG metadata.
Until the upgrade is applied, consider restricting access to the Airflow UI/API to trusted users only and review user permissions to limit broad Asset:read access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users with broad asset-level read permissions to access metadata and state information for DAGs they are not authorized to view. This unauthorized data exposure could potentially lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require strict access controls and data minimization to protect sensitive information.
By not enforcing per-DAG authorization, the system risks exposing information beyond the intended scope of user permissions, which may violate principles of least privilege and data confidentiality mandated by these standards.
Upgrading to Apache Airflow version 3.2.2 or later, which implements per-DAG authorization checks, mitigates this risk by ensuring users can only access data for DAGs they are explicitly authorized to view.