CVE-2026-34538

CWE-668 — Exposure to Wrong Sphere4 documents4 sources

Severity

6.5MEDIUM

EPSS

0.0%

top 89.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow

Timeline

PublishedApr 9

Description

Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with the security model documentation that defines the Viewer role as read-only. Airflow uses the FAB Auth Manager to manage access control on a per-resource basis. The Viewer role is intended to be read-only by default, and…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶PyPIapache-airflow3.0.0 — 3.2.0

▶CVEListV5apache_software_foundation/apache_airflow3.0.0 — 3.2.0

🔴Vulnerability Details

GHSA

GHSA-r7vr-m4jw-r794: Apache Airflow versions 3↗2026-04-09

▶

GHSA

Apache Airflow has an authorization bypass in DagRun wait endpoint↗2026-04-09

▶

CVEList

Apache Airflow: Authorization bypass in DagRun wait endpoint (XCom exposure)↗2026-04-09

▶