CVE-2026-26929 | THREATINT

Description

Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to "~" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

PUBLISHED Reserved 2026-02-16 | Published 2026-03-17 | Updated 2026-03-17 | Assigner apache

Problem types

CWE-732 Incorrect Permission Assignment for Critical Resource

Product status

Default status

unaffected

3.0.0 (semver) before 3.1.8

affected

Credits

Pierre Jeambrun remediation developer

References

www.openwall.com/lists/oss-security/2026/03/17/4

github.com/apache/airflow/pull/61675 patch

lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss vendor-advisory

cve.org (CVE-2026-26929)

nvd.nist.gov (CVE-2026-26929)

Download JSON