Skip to main content

Apache Airflow EUVDEUVD-2026-33596

| CVE-2026-40963 LOW
Improper Authorization (CWE-285)
3.1
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.1 LOW
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
Jun 01, 2026 - 15:23 vuln.today
Analysis Generated
Jun 01, 2026 - 15:23 vuln.today
CVSS changed
Jun 01, 2026 - 15:22 NVD
3.1 (LOW)
Patch available
Jun 01, 2026 - 10:01 EUVD
CVE Published
May 31, 2026 - 12:45 nvd
UNKNOWN (no severity yet)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 pypi packages depend on apache-airflow (2 direct, 2 indirect)

Ecosystem-wide dependent count for version 3.0.0.

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

DAG authorization bypass in Apache Airflow 3.0.0-3.2.1 allows authenticated low-privileged users to enumerate DAG structure and cross-DAG dependency topology for DAGs they are not authorized to view, by querying the /ui/structure/structure_data endpoint without proper RBAC enforcement. The endpoint returned external dependency nodes and edges without applying the ReadableDagsFilterDep authorization filter, crossing per-DAG RBAC boundaries. No public exploit exists and EPSS is 0.01% (4th percentile); impact is confined to confidentiality of workflow topology in multi-tenant or fine-grained RBAC deployments.

Technical ContextAI

Apache Airflow's FastAPI-based UI backend exposes /ui/structure/structure_data (implemented in airflow-core/src/airflow/api_fastapi/core_api/routes/ui/structure.py) to render DAG dependency graphs, including cross-DAG relationships via external triggers when external_dependencies=True is passed. The RBAC framework uses requires_access_dag and ReadableDagsFilterDep to restrict which DAGs an authenticated caller may access. CWE-285 (Improper Authorization) identifies the root cause: the handler accepted and returned external dependency data - both DAG dependency nodes and dependency edge targets - without checking whether those referenced DAG IDs appeared in the caller's authorized readable set. The GitHub PR #65342 fix injects ReadableDagsFilterDep, materializes readable_dag_ids, and skips any dependency or edge whose target DAG ID falls outside the authorized set before constructing the response payload.

RemediationAI

Upgrade to Apache Airflow 3.2.2 or later, which incorporates the fix from GitHub pull request #65342 adding ReadableDagsFilterDep enforcement to the structure_data endpoint. The vendor advisory thread is available at https://lists.apache.org/thread/s907bhsksc37m59f0loqjcp1ryobrr60. If an immediate upgrade is not possible, restrict network-level access to the Airflow webserver UI to only explicitly trusted, internally managed user accounts - this does not eliminate the vulnerability but reduces the attacker pool to already-authenticated insiders, consistent with the low EPSS. Additionally, audit current DAG-level RBAC assignments: if no users are subject to per-DAG read restrictions (i.e., all authenticated users have global DAG access), the practical impact of this vulnerability is negligible and the deployment is not meaningfully exposed until the patch can be applied.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

EUVD-2026-33596 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy