Description
Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view.


Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.
Published: 2026-03-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized DAG enumeration
Action: Patch
AI Analysis

Impact

Apache Airflow 3.1.x versions 3.1.0 through 3.1.7 expose their full DAG dependency graph via the /ui/dependencies endpoint regardless of authorization. An authenticated user who only has the DAG Dependencies permission can thus enumerate DAG IDs that they should not be able to view. The vulnerability is a classic example of incorrect authorization (CWE‑732) and allows an attacker to gain visibility into potentially sensitive workflow structures.

Affected Systems

The issue is present in Apache Airflow 3.1.0 up to and including 3.1.7. Versions 3.1.8 and later include a fix that removes the unfiltered DAG list from the endpoint.

Risk and Exploitability

The CVSS score is 4.3, indicating low to moderate severity, and the EPSS score is <1%, suggesting a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only an authenticated session with DAG Dependencies access, so the attack vector is authenticated local. Overall risk is limited to the ability to enumerate DAGs, without impact on confidentiality or integrity of data beyond visibility.

Generated by OpenCVE AI on March 17, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply vendor patch: upgrade Apache Airflow to 3.1.8 or later

Generated by OpenCVE AI on March 17, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x3fv-96qh-67m7 Apache Airflow: DAG authorization bypass
History

Tue, 17 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow
CPEs cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache airflow

Tue, 17 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
References

Tue, 17 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Description Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.
Title Apache Airflow: DAG authorization bypass
Weaknesses CWE-732
References

Subscriptions

Apache Airflow
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-03-17T15:41:15.403Z

Reserved: 2026-03-01T12:53:02.570Z

Link: CVE-2026-28563

cve-icon Vulnrichment

Updated: 2026-03-17T13:32:02.156Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T11:16:11.647

Modified: 2026-03-17T17:42:05.800

Link: CVE-2026-28563

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:22Z

Weaknesses