Vulnerability in Apache Software Foundation Airflow

CVE-2026-28563

Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs…

EPSS: 0.000 (11.1th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Airflow — versions 3.0.0

Weakness classification (CWE)

CWE-732 — Incorrect Permission Assignment for Critical Resource

References

github.com/apache/airflow/pull/62046 (patch)
lists.apache.org/thread/dwzf62qg9z8wvfsjknpfd8bvtwghd49s (vendor-advisory)