CVE-2026-26929
published 2026-03-17CVE-2026-26929: Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id…
medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to "~" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned.
Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | airflow | >= 3.0.0 < 3.1.8 | 3.1.8 |
| apache_software_foundation | apache_airflow | >= 3.0.0 < 3.1.8 | 3.1.8 |