Skip to main content

Apache Airflow CVE-2026-41014

| EUVDEUVD-2026-33595 MEDIUM
Missing Authorization (CWE-862)
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

6
Source Code Evidence Fetched
Jun 02, 2026 - 17:26 vuln.today
Analysis Generated
Jun 02, 2026 - 17:26 vuln.today
CVSS changed
Jun 02, 2026 - 17:22 NVD
4.3 (MEDIUM)
Patch available
Jun 01, 2026 - 10:01 EUVD
CVE Published
May 31, 2026 - 12:45 nvd
MEDIUM 4.3
CVE Published
May 31, 2026 - 12:45 nvd
UNKNOWN (no severity yet)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 10 pypi packages depend on apache-airflow (1 direct, 9 indirect)

Ecosystem-wide dependent count for version 3.2.0.

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Per-DAG RBAC bypass in Apache Airflow 3.2.0-3.2.1 allows authenticated users with restricted DAG permissions to read partitioned DAG run metadata for DAGs outside their authorized scope via the /ui/partitioned_dag_runs endpoint. The route enforced asset-level access control via requires_access_asset but omitted the parallel DAG-level check (requires_access_dag) and result-set filtering by readable DAG IDs, creating a gap in the multi-layer authorization model. No public exploit identified at time of analysis; EPSS is 0.01% (4th percentile), indicating very low exploitation probability consistent with the authenticated, information-disclosure-only impact.

Technical ContextAI

Apache Airflow's FastAPI-based UI API exposes the /ui/partitioned_dag_runs endpoint, which queries the AssetPartitionDagRun table to return partitioned DAG run records keyed by target_dag_id. The route applied requires_access_asset(method='GET') to gate on asset-level permissions but failed to also invoke requires_access_dag(method='GET') or inject a ReadableDagsFilterDep to scope the SQL query to the caller's authorized DAG IDs. CWE-862 (Missing Authorization) directly describes this root cause: a code path performs a data-access operation without verifying that the caller holds the necessary authorization for the resources returned. The PR #65344 fix adds both a route-level Depends(requires_access_dag(method='GET')) dependency and a query-time WHERE filter (AssetPartitionDagRun.target_dag_id.in_(readable_dag_ids)) to close both the access-check and data-leakage gaps simultaneously. The affected component is in airflow-core/src/airflow/api_fastapi/core_api/routes/ui/partitioned_dag_runs.py.

RemediationAI

Upgrade to Apache Airflow 3.2.2 or later, which includes the authorization fix from GitHub PR #65344 that adds DAG-level access enforcement and result-set filtering to the /ui/partitioned_dag_runs endpoint. The Apache advisory thread at https://lists.apache.org/thread/12nbzwwby7g883w2j13gn7ny1545xob9 provides official guidance. If immediate upgrade is blocked, a targeted compensating control is to restrict access to the /ui/partitioned_dag_runs path at the reverse-proxy or API gateway layer to only users or roles that have full DAG visibility - trade-off is that legitimate UI features relying on this endpoint (partitioned asset timetable views) will be unavailable to restricted users. Alternatively, flattening DAG permissions so all authenticated users share the same access level eliminates the exploitable boundary but defeats the purpose of per-DAG RBAC. Generic network perimeter controls do not address the root authorization gap and should not be substituted for patching.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

CVE-2026-41014 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy