Description
The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope.

Users are recommended to upgrade to version 3.2.1, which fixes this issue.
Published: 2026-04-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of DAG names and related asset information
Action: Immediate Patch
AI Analysis

Impact

A flaw in Airflow’s asset dependency graph layer allows a user who can read any single DAG to view the graph for all assets in the deployment. The interface fails to enforce the viewer’s DAG‑read permissions, so the user can learn the existence and names of DAGs and assets that are outside the user’s authorized scope. This creates a confidentiality risk where sensitive workflow definitions become visible to unauthorized staff.

Affected Systems

Apache Software Foundation’s Apache Airflow deployments running a version earlier than 3.2.1 are impacted. The vulnerability exists across all builds of Airflow prior to the 3.2.1 release, which adds proper access‑control checks to the asset graph view.

Risk and Exploitability

The CVSS score of 4.3 rates the flaw as moderate. The EPSS score indicates a very low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a legitimate authenticated session with at least read access to one DAG, after which the attacker can view the entire asset graph via the web UI. It does not provide code execution or privilege escalation, but it allows information leakage if an insider or compromised account is used. The risk is therefore primarily lateral data disclosure rather than system compromise.

Generated by OpenCVE AI on April 28, 2026 at 14:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Airflow to version 3.2.1 or later, ensuring that the asset graph view enforces DAG‑level permission checks in compliance with CWE‑1220.
  • Reevaluate all DAG read permissions and restrict them to only users who require access, thereby limiting the data exposed through the asset graph.
  • Perform a targeted security review of permission mappings and audit logs to confirm that the asset graph endpoint respects user privileges and that no unauthorized DAG names or assets are exposed.

Generated by OpenCVE AI on April 28, 2026 at 14:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w7rc-q6cm-f5gm Apache Airflow's asset dependency graph did not restrict nodes by the viewer's DAG read permissions
History

Mon, 27 Apr 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow
CPEs cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache airflow

Fri, 24 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
References

Fri, 24 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope. Users are recommended to upgrade to version 3.2.1, which fixes this issue.
Title Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users
Weaknesses CWE-1220
References

Subscriptions

Apache Airflow
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-24T16:20:27.315Z

Reserved: 2026-04-15T01:09:30.824Z

Link: CVE-2026-40690

cve-icon Vulnrichment

Updated: 2026-04-24T16:20:27.315Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T13:16:21.443

Modified: 2026-04-27T12:24:56.147

Link: CVE-2026-40690

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:30:33Z

Weaknesses