CVE-2026-28563

CWE-732 — Incorrect Permission Assignment5 documents5 sources

Severity

4.3MEDIUM

EPSS

0.1%

top 84.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedMar 17

Description

Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶NVDapache/airflow3.0.0 — 3.1.8

▶PyPIapache-airflow3.0.0 — 3.1.8

▶CVEListV5apache_software_foundation/apache_airflow3.0.0 — 3.1.8

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

Apache Airflow: DAG authorization bypass↗2026-03-17

▶

CVEList

Apache Airflow: DAG authorization bypass↗2026-03-17

▶

GHSA

Apache Airflow: DAG authorization bypass↗2026-03-17

▶

🕵️Threat Intelligence

Wiz

CVE-2026-28563 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶