Vulnerability in Apache Software Foundation Airflow

CVE-2026-26929

Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to "~" (wildcard for all DAGs). As a result, version metadata of DAGs that t…

EPSS: 0.001 (17.3th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Airflow — versions 3.0.0

Weakness classification (CWE)

CWE-732 — Incorrect Permission Assignment for Critical Resource

References

github.com/apache/airflow/pull/61675 (patch)
lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss (vendor-advisory)