Primary

Context

Apache Airflow Asset Graph View Bypasses DAG Read Permissions

Vulnerability

Patched

A vulnerability in Apache Airflow's asset dependency graph view prior to version 3.2.1 allows users with read access to at least one Directed Acyclic Graph (DAG) to view the asset graph for any other asset in the deployment. This oversight enables them to discover the existence and names of DAGs and assets beyond their authorized access.

Impact

Exploitation of this vulnerability could lead to unauthorized visibility of DAGs and assets, allowing users to access information outside their permission scope.

Remediation

Users are advised to upgrade to Apache Airflow version 3.2.1 or later, which addresses this vulnerability.

Added: Apr 24, 2026, 1:28 PM

Updated: Apr 24, 2026, 1:28 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

0.6

exploitability

5.9

remediation

7.7

relevance

6.6

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

0.6

exploitability

5.9

remediation

7.7

relevance

6.6

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Airflow Asset Graph View Bypasses DAG Read Permissions

Vulnerability

Impact

Remediation

Affected Products

Apache Airflow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating