Description
The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping to keep Dag dependency topology private across teams. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
Published: 2026-06-01
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The /ui/structure/structure_data endpoint in Airflow returns external dependency graph nodes for linked DAGs without verifying that the user has read permission on those linked DAGs. An authenticated UI or API user who can read one DAG can therefore enumerate the IDs and dependency metadata of other DAGs to which they are not authorized. This flaw enables disclosure of the DAG dependency topology and other workflow information that should remain private. The underlying weakness is improper authorization (CWE-285).

Affected Systems

Apache Airflow deployments that rely on per‑DAG read scoping to keep dependency topology private across teams. Versions prior to 3.2.2 are affected; upgrading to 3.2.2 or later resolves the issue.

Risk and Exploitability

The vulnerability can be exploited by any authenticated user that possesses read access to at least one DAG; no additional exploits are required. While no EPSS or CVSS score is provided, the ability to enumerate DAG metadata constitutes a high-impact information‑disclosure risk. The flaw is not currently listed in the CISA KEV catalog and no publicly available exploitation code is documented, but the potential for privacy leakage and cross‑team data exposure warrants prompt remediation.

Generated by OpenCVE AI on June 1, 2026 at 10:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Airflow to version 3.2.2 or later to apply the fixed permission check on the structure_data endpoint.
  • Validate that user permissions are correctly configured so that only authorized users have read access to each DAG; enforce the minimum required scope for each team.
  • Perform integrity checks on the dependency graph views to confirm that users cannot view DAGs outside their designated permissions.

Generated by OpenCVE AI on June 1, 2026 at 10:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping to keep Dag dependency topology private across teams. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
Title Apache Airflow: DAG authorization bypass on /ui/structure/structure_data
Weaknesses CWE-285
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-01T09:52:24.893Z

Reserved: 2026-04-16T01:56:58.354Z

Link: CVE-2026-40963

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T09:16:18.123

Modified: 2026-06-01T09:16:18.123

Link: CVE-2026-40963

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T10:30:26Z

Weaknesses