CVE-2026-26929

MEDIUM 6.5

Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to "~" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

CWE	CWE-732
Vendor	apache software foundation
Product	apache airflow
Published	Mar 17, 2026
Last Updated	Mar 17, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow

Be the first to know when new medium vulnerabilities affecting apache software foundation apache airflow are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow

3.0.0 < 3.1.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/apache/airflow/pull/61675 lists.apache.org: https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss openwall.com: http://www.openwall.com/lists/oss-security/2026/03/17/4

Credits

Pierre Jeambrun