Executive Summary

The CVE-2026-46764 vulnerability in Apache Airflow is an authorization bypass issue in the Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}`. This endpoint fetched audit-log entries directly by numeric ID after only a generic audit log permission check, without enforcing per-DAG (Directed Acyclic Graph) scoping.

While the collection endpoint `GET /api/v2/eventLogs` applied proper per-DAG scoping to restrict access, the detail endpoint allowed an authenticated user with audit-log read permission for one DAG to access audit logs for any other DAG by guessing or enumerating numeric event log IDs.

This means that users could retrieve audit logs beyond their authorized scope, potentially exposing sensitive audit information from other DAGs.

The vulnerability affects deployments relying on per-DAG audit-log scoping and was fixed in Apache Airflow version 3.2.2 and later.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an authenticated user with audit-log read permission for a single DAG to access audit logs of other DAGs without proper authorization.

Such unauthorized access could lead to exposure of sensitive audit information, potentially revealing operational details, user actions, or security-relevant events from other parts of your Airflow deployment.

If your deployment relies on per-DAG audit-log scoping to enforce access control, this vulnerability undermines that security model, increasing the risk of information disclosure.

To mitigate this risk, it is advised to upgrade to Apache Airflow version 3.2.2 or later, where the issue has been fixed by enforcing stricter per-DAG permission checks on the event log detail endpoint.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing whether an authenticated user with audit-log read permission for one DAG can access audit-log entries for other DAGs by enumerating or guessing numeric event log IDs via the endpoint GET /api/v2/eventLogs/{event_log_id}.

A practical approach is to attempt API calls to the event log detail endpoint with different numeric event_log_id values beyond the scope of the user's permitted DAGs and observe if audit logs from unauthorized DAGs are returned.

Example command using curl (replace placeholders accordingly):

• curl -H "Authorization: Bearer <token>" https://<airflow-host>/api/v2/eventLogs/<event_log_id>

By iterating over multiple event_log_id values, if audit logs from DAGs outside the user's permission scope are accessible, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The primary immediate mitigation step is to upgrade Apache Airflow to version 3.2.2 or later, where this vulnerability has been fixed.

The fix enforces proper per-DAG audit log permission checks on the event log detail endpoint, preventing unauthorized access by users with limited DAG permissions.

Until the upgrade can be applied, consider restricting access to the API endpoints to trusted users only and monitoring audit log access patterns for suspicious enumeration attempts.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an authenticated user with audit-log read permission for one DAG to access audit-log entries for other DAGs by guessing or enumerating numeric event log IDs. This unauthorized access to audit logs could lead to exposure of sensitive operational data that should be restricted per DAG.

Such unauthorized access to audit logs may impact compliance with standards and regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive data, including audit trails. Deployments relying on per-DAG audit-log scoping could be at risk of violating these requirements if the vulnerability is not mitigated.

Upgrading to Apache Airflow 3.2.2 or later, which enforces proper per-DAG permission checks on the event log detail endpoint, is advised to maintain compliance and prevent unauthorized audit log access.

Useful 0 Not Useful 0