CVE-2026-40963

LOW 3.1

Apache Airflow: DAG authorization bypass on /ui/structure/structure_data

CVSS Score

3.1

EPSS Score

0.0%

EPSS Percentile

4th

The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping to keep Dag dependency topology private across teams. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.

CWE	CWE-285
Vendor	apache software foundation
Product	apache airflow
Published	Jun 1, 2026
Last Updated	Jun 1, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow

Be the first to know when new low vulnerabilities affecting apache software foundation apache airflow are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow

3.0.0 < 3.2.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/apache/airflow/pull/65342 lists.apache.org: https://lists.apache.org/thread/s907bhsksc37m59f0loqjcp1ryobrr60 openwall.com: http://www.openwall.com/lists/oss-security/2026/05/31/3

Credits

Masamune - Unit515 OPSWAT Jarek Potiuk