Executive Summary

The CVE-2026-41014 vulnerability in Apache Airflow involves insufficient authorization checks in the partitioned_dag_runs endpoints of the Airflow UI and API.

Specifically, these endpoints enforced only asset-level access control rather than per-DAG authorization. This means that an authenticated user with global Asset:read permission could access metadata such as partition run state, schedule configuration, and asset wiring for DAGs they were not authorized to read.

The issue affects deployments that rely on restricting read access on a per-DAG basis while granting users broader asset access.

The vulnerability was fixed by adding per-DAG authorization checks, ensuring users can only access partitioned DAG runs for DAGs they are explicitly authorized to view.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an authenticated user with broad asset read permissions to view sensitive metadata about DAGs they should not have access to.

Such unauthorized access could lead to information disclosure about the state, schedule, and wiring of DAGs, potentially exposing operational details or business logic that should remain confidential.

If your deployment relies on per-DAG read restrictions for security or compliance reasons, this vulnerability undermines those controls and could increase the risk of insider threats or data leakage.

Users are advised to upgrade to Apache Airflow version 3.2.2 or later to mitigate this risk.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves insufficient authorization checks on the /ui/partitioned_dag_runs and /ui/pending_partitioned_dag_run/{dag_id}/{partition_key} endpoints in Apache Airflow. Detection would involve verifying if these endpoints allow access to DAG metadata without proper per-DAG authorization.

To detect exploitation attempts or presence of the vulnerability, you can monitor access logs for requests to these endpoints from users who should not have access to certain DAGs.

Specific commands are not provided in the resources, but you can use tools like curl or HTTP clients to test access control, for example:

• curl -i -H "Authorization: Bearer <token>" https://<airflow-host>/ui/partitioned_dag_runs
• curl -i -H "Authorization: Bearer <token>" https://<airflow-host>/ui/pending_partitioned_dag_run/<dag_id>/<partition_key>

If these commands return metadata for DAGs the user should not have access to, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Apache Airflow to version 3.2.2 or later, where the vulnerability has been fixed by adding proper per-DAG authorization checks.

This fix enforces per-DAG access control on the affected endpoints, preventing unauthorized users from enumerating DAG metadata.

Until the upgrade is applied, consider restricting access to the Airflow UI/API to trusted users only and review user permissions to limit broad Asset:read access.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated users with broad asset-level read permissions to access metadata and state information for DAGs they are not authorized to view. This unauthorized data exposure could potentially lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require strict access controls and data minimization to protect sensitive information.

By not enforcing per-DAG authorization, the system risks exposing information beyond the intended scope of user permissions, which may violate principles of least privilege and data confidentiality mandated by these standards.

Upgrading to Apache Airflow version 3.2.2 or later, which implements per-DAG authorization checks, mitigates this risk by ensuring users can only access data for DAGs they are explicitly authorized to view.

Useful 0 Not Useful 0