CVE-2026-26929

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-26929

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26929.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-26929

Aliases

Downstream

MINI-vx26-p683-cjgp

Published

2026-03-17T11:16:11.490Z

Modified

2026-04-10T05:37:01.715431Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to "~" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned.

Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

References

Affected packages

Git / github.com/apache/airflow

Affected ranges

Type

GIT

Repo

https://github.com/apache/airflow

Events

Introduced

1fc3442f1307fdf5e1221b26f41266c4fed330d3

Fixed

6b42e8020f6d21ca892b0d1dc21c60469fef6e5f

Database specific

{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.1.8"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26929.json"