CVE-2026-24098

MEDIUM 6.5

Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue

CWE	CWE-200
Vendor	apache software foundation
Product	apache airflow
Published	Feb 9, 2026
Last Updated	Mar 10, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow

Be the first to know when new medium vulnerabilities affecting apache software foundation apache airflow are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow

3.0.0 < 3.1.7

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/apache/airflow/pull/60801 lists.apache.org: https://lists.apache.org/thread/nx96435v77xdst7ls5lk57kqvqyj095x openwall.com: http://www.openwall.com/lists/oss-security/2026/02/09/3

Credits

Saurabh