What is the CVSS score of CVE-2026-46764?

CVE-2026-46764 has a CVSS 3.1 base score of 4.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-46764?

Yes, a patch is available for CVE-2026-46764. Update the affected software to the latest version immediately.

Apache Airflow CVE-2026-46764

EUVD-2026-33584 MEDIUM

Authorization Bypass Through User-Controlled Key (CWE-639)

2026-05-31

GHSA-qphr-3mvq-v466

Python Apache Deserialization Authentication Bypass

4.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

4.3 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

Jun 01, 2026 - 18:38 vuln.today

Analysis Generated

Jun 01, 2026 - 18:38 vuln.today

CVSS changed

Jun 01, 2026 - 18:37 NVD

4.3 (MEDIUM)

Patch available

Jun 01, 2026 - 10:01 EUVD

CVE Published

May 31, 2026 - 12:45 nvd

MEDIUM 4.3

CVE Published

May 31, 2026 - 12:45 nvd

UNKNOWN (no severity yet)

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

The event log detail endpoint in Apache Airflow before 3.2.2 applies a generic DAG-level audit log permission check rather than scoping authorization to the specific DAG that owns the requested event log entry, allowing any authenticated low-privilege user to read audit log entries belonging to DAGs outside their permitted scope. The flaw is a broken object-level authorization (IDOR) pattern - classified as CWE-639 - where the user-supplied event_log_id path parameter can reference log rows from unauthorized DAGs without triggering a rejection. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as low-privilege Airflow user

Delivery

Send GET /eventLogs/{target_event_log_id}

Exploit

Old guard applies generic DAG audit-log check (no DAG-scope resolution)

Execution

Authorization passes without per-DAG validation

Persist

API returns event log entry from unauthorized DAG

Impact

Attacker reads sensitive audit log metadata outside permitted scope

Access

Authenticate as low-privilege Airflow user

Delivery

Send GET /eventLogs/{target_event_log_id}

Exploit

Old guard applies generic DAG audit-log check (no DAG-scope resolution)

Execution

Authorization passes without per-DAG validation

Persist

API returns event log entry from unauthorized DAG

Impact

Attacker reads sensitive audit log metadata outside permitted scope

Vulnerability AssessmentAI

Exploitation	Exploitation requires an authenticated account (PR:L) that holds at least read permission on `DagAccessEntity.AUDIT_LOG` for one or more DAGs within the Airflow deployment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 4.3 score (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) accurately characterizes this as a medium-severity, network-reachable, low-complexity, authenticated information disclosure with no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated Airflow user who has been granted audit-log read access for a single DAG (e.g., a developer restricted to `dag_A`) sends sequential or enumerated `GET /eventLogs/{id}` requests to the public API. Because the pre-3.2.2 authorization check verifies only the generic DAG audit-log permission and does not resolve the owning DAG of each event log row, the API returns full event log detail records belonging to `dag_B`, `dag_C`, or any other DAG in the system. …
Remediation	Upgrade to Apache Airflow 3.2.2 or later, which replaces the generic `requires_access_dag` guard on the event log detail endpoint with the new `requires_access_event_log` dependency that performs per-row DAG-scoped authorization. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49257 CRITICAL Act Now

10.0 Jun 18

Authentication bypass in StarTree mcp-pinot versions 3.0.1 and earlier exposes the Model Context Protocol HTTP server on

CVE-2026-10561 CRITICAL Act Now

10.0 Jun 22

Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully comprom

CVE-2026-55255 CRITICAL Act Now

9.9 Jun 19

Cross-user flow execution in Langflow versions prior to 1.9.1 allows any authenticated API user to run another user's fl

CVE-2026-53753 CRITICAL Act Now

9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-38714 CRITICAL Act Now

9.8 Jun 18

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a co

CVE-2026-46764 vulnerability details – vuln.today

Back

Apache Airflow CVE-2026-46764

Severity by source

CVSS VectorNVD

Lifecycle Timeline

Description PRE-NVD

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

More from same product – last 7 days

Share

External POC / Exploit Code