CVE-2026-24098

CWE-200 — Information Exposure5 documents5 sources

Severity

6.5MEDIUM

EPSS

0.0%

top 93.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedFeb 9

Description

Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDapache/airflow3.0.0 — 3.1.7

▶PyPIapache-airflow< 3.1.7

▶CVEListV5apache_software_foundation/apache_airflow3.0.0 — 3.1.7

Patches

Patch: github.com ↗

🔴Vulnerability Details

CVEList

Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors↗2026-02-09

▶

OSV

Apache Airflow UI Exposes DAG Import Errors to Unauthorized Authenticated Users↗2026-02-09

▶

GHSA

Apache Airflow UI Exposes DAG Import Errors to Unauthorized Authenticated Users↗2026-02-09

▶

🕵️Threat Intelligence

Wiz

CVE-2026-24098 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶