BIT-airflow-2026-24098

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/airflow/BIT-airflow-2026-24098.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-airflow-2026-24098

Aliases

Published

2026-02-12T08:39:03.920Z

Modified

2026-02-12T09:26:07.863381Z

Summary

Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors

Details

Apache Airflow versions before 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to.

Users are advised to upgrade to 3.1.7 or later, which resolves this issue

Database specific

{
    "cpes": [
        "cpe:2.3:a:apache:airflow:*:*:*:*:*:python:*:*"
    ],
    "severity": "Medium"
}

References

Affected packages

Bitnami / airflow

Package

Name: airflow
Purl: pkg:bitnami/airflow

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.7

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/airflow/BIT-airflow-2026-24098.json"