CVE-2026-46764

MEDIUM 4.3

Apache Airflow: Event Log detail endpoint bypasses DAG-scoped event log permission filter

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

14th

The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit-log rows directly by numeric ID after only the generic Audit Log permission check, while the collection endpoint `GET /api/v2/eventLogs` applied per-Dag scoping. An authenticated UI/API user with audit-log read permission for one Dag could retrieve audit-log entries for any other Dag by guessing or enumerating the numeric event log ID. Affects deployments that rely on per-Dag audit-log scoping. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.

CWE	CWE-639
Vendor	apache software foundation
Product	apache airflow
Published	Jun 1, 2026
Last Updated	Jun 2, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow

Be the first to know when new medium vulnerabilities affecting apache software foundation apache airflow are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow

0 < 3.2.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/apache/airflow/pull/67112 lists.apache.org: https://lists.apache.org/thread/ctrbj7q3m86g4qxmo9ponojgmzrcoqpv openwall.com: http://www.openwall.com/lists/oss-security/2026/05/31/14

Credits

Stoyan Stoyanov Trendafilov (trstoyan), independent security researcher Pierre Jeambrun (@pierrejeambrun)