Description
The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping to keep Dag dependency topology private across teams. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
Published: 2026-06-01
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The /ui/structure/structure_data endpoint in Airflow returns external dependency graph nodes for linked DAGs without verifying that the user has read permission on those linked DAGs. An authenticated UI or API user who can read one DAG can therefore enumerate the IDs and dependency metadata of other DAGs to which they are not authorized. This flaw enables disclosure of the DAG dependency topology and other workflow information that should remain private. The underlying weakness is improper authorization (CWE-285).

Affected Systems

Apache Airflow deployments that rely on per‑DAG read scoping to keep dependency topology private across teams. Versions prior to 3.2.2 are affected; upgrading to 3.2.2 or later resolves the issue.

Risk and Exploitability

The vulnerability can be exploited by any authenticated user that possesses read access to at least one DAG; no additional exploits are required. The CVSS score is 3.1, indicating low severity, while EPSS remains below 1%. The ability to enumerate DAG metadata constitutes an information‑disclosure risk. The flaw is not currently listed in the CISA KEV catalog and no publicly available exploitation code is documented, but the potential for privacy leakage and cross‑team data exposure warrants prompt remediation.

Generated by OpenCVE AI on June 1, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Airflow to version 3.2.2 or later to apply the fixed permission check on the structure_data endpoint.
  • Validate that user permissions are correctly configured so that only authorized users have read access to each DAG; enforce the minimum required scope for each team.
  • Perform integrity checks on the dependency graph views to confirm that users cannot view DAGs outside their designated permissions.

Generated by OpenCVE AI on June 1, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

Mon, 01 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache airflow
Vendors & Products Apache
Apache airflow

Mon, 01 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
References

Mon, 01 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping to keep Dag dependency topology private across teams. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
Title Apache Airflow: DAG authorization bypass on /ui/structure/structure_data
Weaknesses CWE-285
References

Subscriptions

Apache Airflow
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-01T14:18:37.838Z

Reserved: 2026-04-16T01:56:58.354Z

Link: CVE-2026-40963

cve-icon Vulnrichment

Updated: 2026-06-01T09:52:24.893Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T09:16:18.123

Modified: 2026-06-01T17:06:48.227

Link: CVE-2026-40963

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T16:30:06Z

Weaknesses