CVE-2026-24098

Source
https://cve.org/CVERecord?id=CVE-2026-24098
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24098.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-24098
Aliases
Downstream
Published
2026-02-09T10:32:53.910Z
Modified
2026-07-08T07:32:25.315916759Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors
Details

Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to.

Users are advised to upgrade to 3.1.7 or later, which resolves this issue

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24098.json",
    "cwe_ids": [
        "CWE-200"
    ],
    "cna_assigner": "apache"
}
References

Affected packages

Git / github.com/apache/airflow

Affected ranges

Type
GIT
Repo
https://github.com/apache/airflow
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.1.7"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24098.json"