CVE-2026-41014

MEDIUM 4.3

Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

4th

The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping while granting users broader Asset access. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.

CWE	CWE-862
Vendor	apache software foundation
Product	apache airflow
Published	Jun 1, 2026
Last Updated	Jun 2, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow

Be the first to know when new medium vulnerabilities affecting apache software foundation apache airflow are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow

3.2.0 < 3.2.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/apache/airflow/pull/65344 lists.apache.org: https://lists.apache.org/thread/12nbzwwby7g883w2j13gn7ny1545xob9 openwall.com: http://www.openwall.com/lists/oss-security/2026/05/31/4

Credits

Yalguun Tumenkhuu (fg0x0) Jarek Potiuk