Apache Airflow versions 3.0.0 through 3.1.7 expose a wildcard DagVersion listing API that does not apply per‑DAG authorization when the request sets dag_id to "~". This flaw, identified as CWE‑732 (Incorrect Authorization), allows an attacker to retrieve version metadata for DAGs that the requester is not allowed to see, thereby leaking potentially sensitive information about the system’s data pipelines. The primary impact is a compromise of confidentiality, as the attacker gains unauthorized visibility into DAG metadata and version history.

The vulnerability affects Apache Airflow products from the Apache Software Foundation. Specifically, all releases from version 3.0.0 up to and including 3.1.7 are impacted. Users running any of these affected releases should verify their software version to determine whether they are exposed.

The CVSS score of 6.5 classifies the issue as moderate severity. The EPSS score of less than 1% indicates a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated API request to the FastAPI DagVersion endpoint, suggesting a network‑based attack vector that leverages legitimate Airflow credentials. While the risk is moderate, the low exploitation probability and the limited scope to metadata leakage imply that urgent action is still advisable, especially for environments exposing Airflow’s API externally.