Primary

Context

Apache Airflow Authorization Bypass Vulnerability in DagRun Wait Endpoint XCom Exposure

Vulnerability

Patched

A vulnerability in Apache Airflow versions 3.0.0 prior to 3.2.0 allows an authorization bypass in the DagRun wait endpoint, where XCom result values are exposed to users with only DAG Run read permissions, such as those in the Viewer role. This issue contradicts the FAB RBAC model, which considers XCom a separate protected resource, and the security model documentation that designates the Viewer role as read-only. The vulnerability arises because Airflow's access control, managed by the FAB Auth Manager, fails to properly restrict XCom access for users with limited permissions.

Impact

Exploitation of this vulnerability leads to unauthorized access to XCom result values, which may contain sensitive execution results, for users with DAG Run read permissions.

Remediation

Users are advised to upgrade to Apache Airflow 3.2.0, which addresses this vulnerability.

Added: Apr 9, 2026, 11:18 AM

Updated: Apr 9, 2026, 11:18 AM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

0.6

exploitability

5.9

remediation

7.7

relevance

5.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

0.6

exploitability

5.9

remediation

7.7

relevance

5.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Airflow Authorization Bypass Vulnerability in DagRun Wait Endpoint XCom Exposure

Vulnerability

Impact

Remediation

Affected Products

Apache Airflow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating