Skip to main content

Apache EUVDEUVD-2026-20878

| CVE-2026-34538 MEDIUM
Exposure of Resource to Wrong Sphere (CWE-668)
2026-04-09 apache GHSA-r7vr-m4jw-r794
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Apr 09, 2026 - 09:30 euvd
EUVD-2026-20878
Analysis Generated
Apr 09, 2026 - 09:30 vuln.today
Patch released
Apr 09, 2026 - 09:30 nvd
Patch available
CVE Published
Apr 09, 2026 - 09:09 nvd
MEDIUM 6.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 pypi packages depend on apache-airflow (2 direct, 2 indirect)

Ecosystem-wide dependent count for version 3.0.0.

DescriptionCVE.org

Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with the security model documentation that defines the Viewer role as read-only.

Airflow uses the FAB Auth Manager to manage access control on a per-resource basis. The Viewer role is intended to be read-only by default, and the security model documentation defines Viewer users as those who can inspect DAGs without accessing sensitive execution results.

Users are recommended to upgrade to Apache Airflow 3.2.0 which resolves this issue.

AnalysisAI

Apache Airflow 3.0.0 through 3.1.8 discloses XCom result values to users with only DAG Run read permissions (such as Viewer role), violating the FAB RBAC model that treats XCom as a protected resource. This information disclosure affects authenticated users and allows them to access sensitive execution results they should not be able to view. The vulnerability is not confirmed as actively exploited, and a patch is available in Apache Airflow 3.2.0.

Technical ContextAI

Apache Airflow's DagRun wait endpoint fails to enforce proper access control for XCom values, which are execution results that can contain sensitive information. The vulnerability stems from insufficient authorization checks on a per-resource basis within Airflow's FAB (Flask-AppBuilder) Auth Manager, which is designed to enforce role-based access control (RBAC). XCom (cross-communication) is a mechanism in Airflow for passing data between tasks and accessing execution logs; the FAB RBAC model explicitly designates XCom as a protected resource separate from DAG Run metadata. The Viewer role, as defined in Airflow's security documentation, should provide read-only access to DAG definitions and execution status without exposing sensitive results. The root cause is improper authorization validation (CWE-668: Operation on Resource in Wrong Phase of Lifetime) that returns XCom data to callers without verifying they have explicit permission to access that specific resource class.

RemediationAI

Vendor-released patch: Apache Airflow 3.2.0. Organizations should upgrade to Apache Airflow 3.2.0 or later as the primary remediation. Until patching is possible, administrators can implement compensating controls by restricting Viewer role assignments to users and service accounts that do not require access to sensitive DAG execution environments, and by reviewing IAM policies to limit exposure. The patch details are available at https://github.com/apache/airflow/pull/64415 and the full advisory is at https://lists.apache.org/thread/9mq3msqhmgjwdzbr6bgthj4brb3oz9fl.

Share

EUVD-2026-20878 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy