Vulnerability in Apache Software Foundation Airflow

CVE-2026-34538

Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as…

EPSS: 0.000 (2.5th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Airflow — versions 3.0.0

Weakness classification (CWE)

CWE-668 — Exposure of Resource to Wrong Sphere

References

github.com/apache/airflow/pull/64415 (patch)
lists.apache.org/thread/9mq3msqhmgjwdzbr6bgthj4brb3oz9fl (vendor-advisory)