CVE-2026-28563

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-28563

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28563.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-28563

Aliases

Downstream

MINI-8wqr-3g57-9pqx

Published

2026-03-17T11:16:11.647Z

Modified

2026-04-10T05:41:22.096010Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view.

Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

References

Affected packages

Git / github.com/apache/airflow

Affected ranges

Type

GIT

Repo

https://github.com/apache/airflow

Events

Introduced

1fc3442f1307fdf5e1221b26f41266c4fed330d3

Fixed

6b42e8020f6d21ca892b0d1dc21c60469fef6e5f

Database specific

{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.1.8"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28563.json"