Primary

Context

Apache Airflow Wildcard DagVersion Listing Bypasses Per-DAG Authorization

Vulnerability

Patched

A vulnerability in Apache Airflow in versions 3.0.0 through 3.1.7 allows unauthorized access to DAG version metadata. The issue arises in the FastAPI DagVersion listing API, which fails to enforce per-DAG authorization filtering when the dag_id is set to the wildcard character '~', representing all DAGs. Consequently, version information for DAGs that the requester is not permitted to access is inadvertently disclosed.

Impact

Exploitation of this vulnerability leads to unauthorized access to DAG version metadata, potentially exposing sensitive information about workflows that the user should not have access to.

Remediation

Users are advised to upgrade to Apache Airflow version 3.1.8 or later, which addresses this vulnerability.

Added: Mar 17, 2026, 11:26 AM

Updated: Mar 17, 2026, 11:26 AM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

0.6

exploitability

4.8

remediation

7.7

relevance

4.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

0.6

exploitability

4.8

remediation

7.7

relevance

4.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Airflow Wildcard DagVersion Listing Bypasses Per-DAG Authorization

Vulnerability

Impact

Remediation

Affected Products

Apache Airflow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating