CVE-2026-34538: CWE-668: Exposure of Resource to Wrong Sphere in Apache Software Foundation Apache Airflow
Apache Airflow versions 3. 0. 0 through 3. 1. 8 have a vulnerability where the DagRun wait endpoint exposes XCom result values to users with only DAG Run read permissions, such as those assigned the Viewer role. This exposure conflicts with the intended role-based access control (RBAC) model, which treats XCom as a protected resource separate from DAG Run data. The Viewer role is documented as read-only and should not access sensitive execution results like XCom data. This issue is resolved in Apache Airflow version 3. 2. 0.
AI Analysis
Technical Summary
In Apache Airflow versions 3.0.0 to 3.1.8, the DagRun wait endpoint improperly returns XCom result values to users who have only DAG Run read permissions (e.g., Viewer role). This behavior violates the Flask AppBuilder (FAB) RBAC model and the documented security model, which define XCom as a separate protected resource and the Viewer role as read-only without access to sensitive execution results. The vulnerability is classified under CWE-668 (Exposure of Resource to Wrong Sphere). Users are advised to upgrade to version 3.2.0 where this issue is fixed.
Potential Impact
Users with Viewer role permissions, intended to have read-only access without exposure to sensitive execution results, can access XCom result values through the DagRun wait endpoint. This leads to unintended exposure of potentially sensitive data, violating the access control model and security expectations. There is no indication of known exploits in the wild.
Mitigation Recommendations
Users should upgrade to Apache Airflow version 3.2.0 or later, where this issue is resolved. No other official remediation or temporary fixes are documented. Patch status is not explicitly confirmed in the advisory, but the vendor recommends upgrading to 3.2.0 to address the vulnerability.
CVE-2026-34538: CWE-668: Exposure of Resource to Wrong Sphere in Apache Software Foundation Apache Airflow
Description
Apache Airflow versions 3. 0. 0 through 3. 1. 8 have a vulnerability where the DagRun wait endpoint exposes XCom result values to users with only DAG Run read permissions, such as those assigned the Viewer role. This exposure conflicts with the intended role-based access control (RBAC) model, which treats XCom as a protected resource separate from DAG Run data. The Viewer role is documented as read-only and should not access sensitive execution results like XCom data. This issue is resolved in Apache Airflow version 3. 2. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In Apache Airflow versions 3.0.0 to 3.1.8, the DagRun wait endpoint improperly returns XCom result values to users who have only DAG Run read permissions (e.g., Viewer role). This behavior violates the Flask AppBuilder (FAB) RBAC model and the documented security model, which define XCom as a separate protected resource and the Viewer role as read-only without access to sensitive execution results. The vulnerability is classified under CWE-668 (Exposure of Resource to Wrong Sphere). Users are advised to upgrade to version 3.2.0 where this issue is fixed.
Potential Impact
Users with Viewer role permissions, intended to have read-only access without exposure to sensitive execution results, can access XCom result values through the DagRun wait endpoint. This leads to unintended exposure of potentially sensitive data, violating the access control model and security expectations. There is no indication of known exploits in the wild.
Mitigation Recommendations
Users should upgrade to Apache Airflow version 3.2.0 or later, where this issue is resolved. No other official remediation or temporary fixes are documented. Patch status is not explicitly confirmed in the advisory, but the vendor recommends upgrading to 3.2.0 to address the vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-03-30T16:07:03.425Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d773081cc7ad14da8bdc27
Added to database: 4/9/2026, 9:36:08 AM
Last enriched: 4/9/2026, 9:51:15 AM
Last updated: 4/9/2026, 12:12:33 PM
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.