CVE-2026-41014 - Vulnerability Details

- Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints

Description

The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping while granting users broader Asset access. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.

Published: 2026-06-01

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Airflow UI endpoint /ui/partitioned_dag_runs only checks asset‑level permissions, neglecting per‑Dag RBAC. An authenticated user granted the global Asset:read permission can query and retrieve state, schedule configuration, and wiring for any DAG, even if they have no explicit read rights on that DAG. This authorizes a confidential data exposure, allowing enumeration of DAG contents and execution context.

Affected Systems

This issue affects users of Apache Airflow supplied by The Apache Software Foundation. Deployments running any Airflow version older than 3.2.2 are vulnerable, as the patch to enforce per‑Dag RBAC was released in 3.2.2.

Risk and Exploitability

The vulnerability exists in the UI layer and can be exercised simply by sending HTTP requests to the /ui/partitioned_dag_runs endpoint. No elevated privileges beyond a legitimate Asset:read role are required, and no additional code execution is involved. EPSS suggests a probability of exploitation of less than 1%, and the vulnerability is not catalogued in CISA KEV. The CVSS score of 4.3 indicates moderate severity, but the potential for unauthorized data disclosure makes the risk high for environments where sensitive DAG information is bound to strict access controls.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache Airflow

unaffected

Version	Status	Constraints
`3.2.0`	affected	< 3.2.2

Configuration 1 [-]

cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Apache

Airflow

95%

Version	Status	Scheme	Platform
`[3.2.0,3.2.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Apache Airflow to version 3.2.2 or later
Revoke or narrow Asset:read permissions so that users only have this role when they also require DAG read access
Verify RBAC configuration and enable per‑Dag read scopes so that endpoint checks the proper permissions

Generated by OpenCVE AI on June 2, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00352.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/31/4
https://github.com/apache/airflow/pull/65344
https://lists.apache.org/thread/12nbzwwby7g883w2j13gn7ny1545xob9

History

Tue, 02 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:apache:airflow::::::::

Tue, 02 Jun 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 02 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Mon, 01 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache airflow
Vendors & Products		Apache Apache airflow

Mon, 01 Jun 2026 11:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/31/4

Mon, 01 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping while granting users broader Asset access. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
Title		Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints
Weaknesses		CWE-862
References		https://github.com/apache/airflow/pull/65344 https://lists.apache.org/thread/12nbzwwby7g883w2j13gn7ny1545xob9

Subscriptions

Apache Airflow

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-06-01T07:53:52.098Z

Updated: 2026-06-02T16:42:42.239Z

Reserved: 2026-04-16T02:20:48.662Z

Link: CVE-2026-41014

Vulnrichment

Updated: 2026-06-01T09:52:26.717Z

NVD

Status : Analyzed

Published: 2026-06-01T09:16:18.230

Modified: 2026-06-02T18:49:24.210

Link: CVE-2026-41014

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T18:30:15Z

Weaknesses

CWE-862
Missing Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object