CVE-2026-40963: CWE-285: Improper Authorization in Apache Software Foundation Apache Airflow
The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping to keep Dag dependency topology private across teams. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
AI Analysis
Technical Summary
The vulnerability in Apache Airflow 3.0.0 involves the structure_data endpoint returning external dependency graph nodes for linked DAGs without proper authorization checks. This allows authenticated users with access to one DAG to enumerate linked DAG IDs and dependency metadata for other DAGs they should not have read access to, violating intended access controls. The issue impacts environments relying on per-DAG read scoping for privacy. The vendor recommends upgrading to version 3.2.2 or later to fix this issue.
Potential Impact
An authenticated user with read access to a single DAG can gain unauthorized visibility into the existence and dependency metadata of other DAGs they are not permitted to read. This could lead to information disclosure about DAG structures and dependencies across teams, potentially violating confidentiality policies in multi-tenant or segmented environments.
Mitigation Recommendations
Users should upgrade Apache Airflow to version 3.2.2 or later, where this improper authorization issue is resolved. No other mitigation or temporary workaround is specified. Patch status is not explicitly confirmed in the advisory, but the vendor recommends upgrading to a fixed version, indicating an official fix is available.
CVE-2026-40963: CWE-285: Improper Authorization in Apache Software Foundation Apache Airflow
Description
The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping to keep Dag dependency topology private across teams. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
CVSS v3.1
Score 3.1low
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Apache Airflow 3.0.0 involves the structure_data endpoint returning external dependency graph nodes for linked DAGs without proper authorization checks. This allows authenticated users with access to one DAG to enumerate linked DAG IDs and dependency metadata for other DAGs they should not have read access to, violating intended access controls. The issue impacts environments relying on per-DAG read scoping for privacy. The vendor recommends upgrading to version 3.2.2 or later to fix this issue.
Potential Impact
An authenticated user with read access to a single DAG can gain unauthorized visibility into the existence and dependency metadata of other DAGs they are not permitted to read. This could lead to information disclosure about DAG structures and dependencies across teams, potentially violating confidentiality policies in multi-tenant or segmented environments.
Mitigation Recommendations
Users should upgrade Apache Airflow to version 3.2.2 or later, where this improper authorization issue is resolved. No other mitigation or temporary workaround is specified. Patch status is not explicitly confirmed in the advisory, but the vendor recommends upgrading to a fixed version, indicating an official fix is available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-04-16T01:56:58.354Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1d4e71e29bf47b50cd4967
Added to database: 6/1/2026, 9:18:41 AM
Last enriched: 6/1/2026, 9:48:56 AM
Last updated: 6/2/2026, 4:59:09 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.