Skip to main content

Apache Airflow CVE-2026-28563

| EUVDEUVD-2026-12564 MEDIUM
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-03-17 apache GHSA-x3fv-96qh-67m7
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 17, 2026 - 11:57 euvd
EUVD-2026-12564
Analysis Generated
Mar 17, 2026 - 11:57 vuln.today
Patch released
Mar 17, 2026 - 11:57 nvd
Patch available
CVE Published
Mar 17, 2026 - 10:54 nvd
MEDIUM 4.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 pypi packages depend on apache-airflow (2 direct, 2 indirect)

Ecosystem-wide dependent count for version 3.0.0.

DescriptionCVE.org

Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view.

Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

AnalysisAI

CVE-2026-28563 is a security vulnerability (CVSS 4.3) that allows an authenticated user with only dag dependencies permission. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Technical ContextAI

CWE-732 (Incorrect Permissions).

RemediationAI

Apply the vendor-supplied patch immediately.

CVE-2026-33264 CRITICAL
9.8 Jul 07

Remote code execution in Apache Airflow before 3.3.0 lets a DAG author embed a malicious trigger whose attacker-controll

CVE-2026-30898 HIGH
8.8 Apr 18

Command injection in Apache Airflow's BashOperator documentation example allows authenticated attackers to escalate priv

CVE-2025-54550 HIGH
8.1 Apr 15

The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xco

CVE-2026-30911 HIGH
8.1 Mar 17

CVE-2026-30911 is a security vulnerability (CVSS 8.1) that allows any authenticated task instance. High severity vulnera

CVE-2026-31987 HIGH
7.5 Apr 16

Apache Airflow 3.0.0 through 3.1.x exposes JWT authentication tokens in application logs, allowing any authenticated UI

CVE-2026-28779 HIGH
7.5 Mar 17

CVE-2026-28779 is a security vulnerability (CVSS 7.5) that allows any application co-hosted under the same domain. High

CVE-2026-32228 HIGH
7.5 Apr 18

Apache Airflow 3.0.x prior to 3.2.0 allows remote unauthenticated attackers to trigger unauthorized DAG (Directed Acycli

CVE-2026-49296 MEDIUM
6.5 Jul 07

{dag_id}` endpoint and its UI equivalent perform authorization only on the requested DAG identifier, not on the full fil

CVE-2026-49487 MEDIUM
6.5 Jul 07

Apache Airflow REST API exposes provider secrets in plaintext through the task-instance detail and list endpoints when t

CVE-2026-48828 MEDIUM
6.5 Jul 07

Sensitive credential exposure in Apache Airflow's Bulk Variables API allows authenticated users with bulk Variable read

CVE-2026-48892 MEDIUM
6.5 Jul 07

Apache Airflow's Config API leaks plaintext secrets-backend credentials to authenticated users with Config read permissi

CVE-2026-26929 MEDIUM
6.5 Mar 17

CVE-2026-26929 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management proce

Vendor StatusVendor

Debian

Bug #819700
airflow
Release Status Fixed Version Urgency
open - -

Share

CVE-2026-28563 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy