CVE-2026-40690

MEDIUM 4.3

Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

0th

The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope. Users are recommended to upgrade to version 3.2.1, which fixes this issue.

CWE	CWE-1220
Vendor	apache software foundation
Product	apache airflow
Published	Apr 24, 2026
Last Updated	Apr 24, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow

Be the first to know when new medium vulnerabilities affecting apache software foundation apache airflow are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow

0 < 3.2.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/apache/airflow/pull/65273 lists.apache.org: https://lists.apache.org/thread/bqt7y4g2cpj396b0sd20lv510ff19ndl

Credits

Saurabh Jarek Potiuk