Apache Airflow EUVD-2026-25419

| CVE-2026-40690 MEDIUM
Insufficient Granularity of Access Control (CWE-1220)
2026-04-24 [email protected] GHSA-w7rc-q6cm-f5gm
Information Disclosure
4.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Apr 24, 2026 - 16:22 vuln.today
CVSS changed
Apr 24, 2026 - 16:22 NVD
4.3 (None) 4.3 (MEDIUM)
Patch available
Apr 24, 2026 - 15:01 EUVD

DescriptionNVD

The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope.

Users are recommended to upgrade to version 3.2.1, which fixes this issue.

AnalysisAI

Apache Airflow versions prior to 3.2.1 allow authenticated users with read access to at least one directed acyclic graph (DAG) to enumerate and discover the names and existence of all other DAGs and assets in the deployment, regardless of their assigned permissions. This information disclosure vulnerability enables privilege escalation reconnaissance by revealing the complete asset topology to users with limited scope authorization. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

EUVD-2026-25419 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy