Vulnerability in Apache Software Foundation Airflow
CVE-2026-40690
The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAG…
EPSS: 0.001 (24.9th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Airflow — versions 0
Weakness classification (CWE)
References
- github.com/apache/airflow/pull/65273 (patch)
- lists.apache.org/thread/bqt7y4g2cpj396b0sd20lv510ff19ndl (vendor-advisory)