Primary

Context

Apache Airflow DAG Authorization Bypass Vulnerability

Vulnerability

Patched

A vulnerability in Apache Airflow versions 3.1.0 prior to 3.1.8 allows an authenticated user with DAG Dependencies permission to bypass authorization. The /ui/dependencies endpoint exposes the complete DAG dependency graph without restricting access based on authorized DAG IDs. This flaw enables users to enumerate DAGs they are not permitted to view.

Impact

Exploitation of this vulnerability could lead to unauthorized visibility of DAGs, allowing users to access information they should not be able to see.

Remediation

Users are advised to upgrade to Apache Airflow 3.1.8 or later, which addresses this vulnerability.

Added: Mar 17, 2026, 11:22 AM

Updated: Mar 17, 2026, 11:22 AM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

0.6

exploitability

5.2

remediation

7.7

relevance

4.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

0.6

exploitability

5.2

remediation

7.7

relevance

4.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Airflow DAG Authorization Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Apache Airflow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating