Description
The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping while granting users broader Asset access. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
Published: 2026-06-01
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Airflow UI endpoint /ui/partitioned_dag_runs only checks asset‑level permissions, neglecting per‑Dag RBAC. An authenticated user granted the global Asset:read permission can query and retrieve state, schedule configuration, and wiring for any DAG, even if they have no explicit read rights on that DAG. This authorizes a confidential data exposure, allowing enumeration of DAG contents and execution context.

Affected Systems

This issue affects users of Apache Airflow supplied by The Apache Software Foundation. Deployments running any Airflow version older than 3.2.2 are vulnerable, as the patch to enforce per‑Dag RBAC was released in 3.2.2.

Risk and Exploitability

The vulnerability exists in the UI layer and can be exercised simply by sending HTTP requests to the /ui/partitioned_dag_runs endpoint. No elevated privileges beyond a legitimate Asset:read role are required, and no additional code execution is involved. EPSS information is not available, and the vulnerability is not catalogued in CISA KEV, but the potential for unauthorized data disclosure makes the risk high for environments where sensitive DAG information is bound to strict access controls.

Generated by OpenCVE AI on June 1, 2026 at 10:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Airflow to version 3.2.2 or later
  • Revoke or narrow Asset:read permissions so that users only have this role when they also require DAG read access
  • Verify RBAC configuration and enable per‑Dag read scopes so that endpoint checks the proper permissions

Generated by OpenCVE AI on June 1, 2026 at 10:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping while granting users broader Asset access. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
Title Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints
Weaknesses CWE-862
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-01T09:52:26.717Z

Reserved: 2026-04-16T02:20:48.662Z

Link: CVE-2026-41014

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T09:16:18.230

Modified: 2026-06-01T09:16:18.230

Link: CVE-2026-41014

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T10:30:26Z

Weaknesses