Description
Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to.

Users are advised to upgrade to 3.1.7 or later, which resolves this issue
Published: 2026-02-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure of DAG import errors
Action: Apply Patch
AI Analysis

Impact

This vulnerability in Apache Airflow versions 3.0.0 through 3.1.7 allows any authenticated UI user who has permission to at least one DAG to view import error messages for DAGs beyond their authorized scope. The exposed error logs can reveal stack traces, underlying configuration, and other internal details that could aid future attacks. Importantly, this flaw only leaks information; it does not grant the ability to modify DAGs or execute arbitrary code.

Affected Systems

All installations running Apache Airflow 3.0.0, 3.0.1, 3.0.2, up through 3.1.7 are affected. The issue resides in the web UI component that displays DAG import errors. It impacts any environment where users have DAG-level permissions, irrespective of other security settings.

Risk and Exploitability

The CVSS score of 6.5 classifies the flaw as moderate severity, while an EPSS score of less than 1% indicates a low of exploitation. Attack vectors require an authenticated session in the Airflow UI; the attacker can then request the error view endpoint for DAGs they cannot normally access. No privilege escalation or remote code execution is possible, and the flaw is not currently recorded in the CISA KEV catalog, but it still warrants prompt patching.

Generated by OpenCVE AI on April 16, 2026 at 17:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Airflow to version 3.1.7 or later.
  • Audit user permissions and remove unnecessary DAG access to limit the spread of error information if an upgrade is delayed.
  • Disable or mask detailed error messages in Airflow’s configuration as a temporary measure to reduce the amount of sensitive data revealed.

Generated by OpenCVE AI on April 16, 2026 at 17:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5g2w-9f8g-g5q7 Apache Airflow UI Exposes DAG Import Errors to Unauthorized Authenticated Users
History

Tue, 10 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Description Apache Airflow versions before 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue

Wed, 11 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

Tue, 10 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow
Vendors & Products Apache
Apache airflow

Mon, 09 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
References

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
Description Apache Airflow versions before 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue
Title Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors
Weaknesses CWE-200
References

Subscriptions

Apache Airflow
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-03-10T18:14:10.674Z

Reserved: 2026-01-21T15:52:53.472Z

Link: CVE-2026-24098

cve-icon Vulnrichment

Updated: 2026-02-09T17:18:52.980Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T11:16:14.660

Modified: 2026-03-11T13:51:59.417

Link: CVE-2026-24098

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:30:26Z

Weaknesses