CVE-2026-26929

CWE-732 — Incorrect Permission Assignment5 documents5 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 83.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedMar 17

Description

Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to "~" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDapache/airflow3.0.0 — 3.1.8

▶PyPIapache-airflow3.0.0 — 3.1.8

▶CVEListV5apache_software_foundation/apache_airflow3.0.0 — 3.1.8

🔴Vulnerability Details

OSV

Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata↗2026-03-17

▶

GHSA

Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata↗2026-03-17

▶

CVEList

Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata↗2026-03-17

▶

🕵️Threat Intelligence

Wiz

CVE-2026-26929 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶