CVE-2026-34538: CWE-668: Exposure of Resource to Wrong Sphere in Apache Software Foundation Apache Airflow
Apache Airflow versions 3. 0. 0 through 3. 1. 8 have a vulnerability where the DagRun wait endpoint returns XCom result values to users with only DAG Run read permissions, such as those assigned the Viewer role. This behavior violates the intended role-based access control (RBAC) model, which treats XCom as a separate protected resource and defines the Viewer role as read-only without access to sensitive execution results. The issue is resolved in Apache Airflow 3. 2. 0.
AI Analysis
Technical Summary
The vulnerability CVE-2026-34538 in Apache Airflow affects versions 3.0.0 through 3.1.8. The DagRun wait endpoint improperly exposes XCom result values to users who have only DAG Run read permissions, including the Viewer role. This exposure conflicts with the Flask App Builder (FAB) RBAC model that treats XCom as a protected resource separate from DAG Runs. The Viewer role is intended to allow inspection of DAGs without access to sensitive execution data, but this flaw allows unauthorized read access to XCom results. The Apache Airflow project recommends upgrading to version 3.2.0 to remediate this issue.
Potential Impact
Users with read-only DAG Run permissions (e.g., Viewer role) can access sensitive XCom result data that should be restricted, potentially exposing confidential execution details. The vulnerability does not affect integrity or availability but results in unauthorized information disclosure. The CVSS score is 6.5 (medium severity) with network attack vector, low attack complexity, and requires low privileges without user interaction.
Mitigation Recommendations
Upgrade Apache Airflow to version 3.2.0 or later, where this issue is resolved. No official patch or temporary fix is documented beyond upgrading. Until upgraded, restrict access to DAG Runs carefully to minimize exposure. Patch status is not explicitly confirmed in the advisory, but the vendor recommends upgrading to 3.2.0 for remediation.
CVE-2026-34538: CWE-668: Exposure of Resource to Wrong Sphere in Apache Software Foundation Apache Airflow
Description
Apache Airflow versions 3. 0. 0 through 3. 1. 8 have a vulnerability where the DagRun wait endpoint returns XCom result values to users with only DAG Run read permissions, such as those assigned the Viewer role. This behavior violates the intended role-based access control (RBAC) model, which treats XCom as a separate protected resource and defines the Viewer role as read-only without access to sensitive execution results. The issue is resolved in Apache Airflow 3. 2. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-34538 in Apache Airflow affects versions 3.0.0 through 3.1.8. The DagRun wait endpoint improperly exposes XCom result values to users who have only DAG Run read permissions, including the Viewer role. This exposure conflicts with the Flask App Builder (FAB) RBAC model that treats XCom as a protected resource separate from DAG Runs. The Viewer role is intended to allow inspection of DAGs without access to sensitive execution data, but this flaw allows unauthorized read access to XCom results. The Apache Airflow project recommends upgrading to version 3.2.0 to remediate this issue.
Potential Impact
Users with read-only DAG Run permissions (e.g., Viewer role) can access sensitive XCom result data that should be restricted, potentially exposing confidential execution details. The vulnerability does not affect integrity or availability but results in unauthorized information disclosure. The CVSS score is 6.5 (medium severity) with network attack vector, low attack complexity, and requires low privileges without user interaction.
Mitigation Recommendations
Upgrade Apache Airflow to version 3.2.0 or later, where this issue is resolved. No official patch or temporary fix is documented beyond upgrading. Until upgraded, restrict access to DAG Runs carefully to minimize exposure. Patch status is not explicitly confirmed in the advisory, but the vendor recommends upgrading to 3.2.0 for remediation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-03-30T16:07:03.425Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d773081cc7ad14da8bdc27
Added to database: 4/9/2026, 9:36:08 AM
Last enriched: 4/16/2026, 12:20:25 PM
Last updated: 5/24/2026, 9:49:59 AM
Views: 124
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.