GHSA-x2x7-p37c-43cr
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
6Blast Radius
ecosystem impact- 10 pypi packages depend on apache-airflow (1 direct, 9 indirect)
Ecosystem-wide dependent count for version 3.2.0.
Description PRE-NVD
AnalysisAI
Per-DAG RBAC bypass in Apache Airflow 3.2.0-3.2.1 allows authenticated users with restricted DAG permissions to read partitioned DAG run metadata for DAGs outside their authorized scope via the /ui/partitioned_dag_runs endpoint. The route enforced asset-level access control via requires_access_asset but omitted the parallel DAG-level check (requires_access_dag) and result-set filtering by readable DAG IDs, creating a gap in the multi-layer authorization model. No public exploit identified at time of analysis; EPSS is 0.01% (4th percentile), indicating very low exploitation probability consistent with the authenticated, information-disclosure-only impact.
Technical ContextAI
Apache Airflow's FastAPI-based UI API exposes the /ui/partitioned_dag_runs endpoint, which queries the AssetPartitionDagRun table to return partitioned DAG run records keyed by target_dag_id. The route applied requires_access_asset(method='GET') to gate on asset-level permissions but failed to also invoke requires_access_dag(method='GET') or inject a ReadableDagsFilterDep to scope the SQL query to the caller's authorized DAG IDs. CWE-862 (Missing Authorization) directly describes this root cause: a code path performs a data-access operation without verifying that the caller holds the necessary authorization for the resources returned. The PR #65344 fix adds both a route-level Depends(requires_access_dag(method='GET')) dependency and a query-time WHERE filter (AssetPartitionDagRun.target_dag_id.in_(readable_dag_ids)) to close both the access-check and data-leakage gaps simultaneously. The affected component is in airflow-core/src/airflow/api_fastapi/core_api/routes/ui/partitioned_dag_runs.py.
RemediationAI
Upgrade to Apache Airflow 3.2.2 or later, which includes the authorization fix from GitHub PR #65344 that adds DAG-level access enforcement and result-set filtering to the /ui/partitioned_dag_runs endpoint. The Apache advisory thread at https://lists.apache.org/thread/12nbzwwby7g883w2j13gn7ny1545xob9 provides official guidance. If immediate upgrade is blocked, a targeted compensating control is to restrict access to the /ui/partitioned_dag_runs path at the reverse-proxy or API gateway layer to only users or roles that have full DAG visibility - trade-off is that legitimate UI features relying on this endpoint (partitioned asset timetable views) will be unavailable to restricted users. Alternatively, flattening DAG permissions so all authenticated users share the same access level eliminates the exploitable boundary but defeats the purpose of per-DAG RBAC. Generic network perimeter controls do not address the root authorization gap and should not be substituted for patching.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33595