The Event Log detail endpoint GET /api/v2/eventLogs/{event_log_id} in Apache Airflow returns audit‑log rows directly by numeric ID after only the generic audit‑log permission check. Because the collection endpoint enforces per‑DAG scoping, an authenticated user with generic audit‑log read permission can guess or enumerate numeric IDs and retrieve audit log entries for any other DAG, disclosing sensitive information about the DAG’s execution and configuration. This weakness qualifies as an authorization bypass (CWE‑639) and results in a confidential data disclosure vulnerability.

Deployments of the Apache Software Foundation’s Apache Airflow that rely on per‑DAG audit‑log scoping are impacted. The security fix is available in Apache Airflow 3.2.2 and later; systems running older versions are susceptible.

The CVSS score is 4.3, and the EPSS score is <1%, indicating a very low but nonzero exploitation probability. The vulnerability is not listed in CISA KEV. Based on the description, it is inferred that the attack requires only authenticated access and the ability to guess or enumerate numeric event log IDs, conditions that are commonly present in Airflow accounts. The consequence is that any user with audit‑log read permission can access unintended logs, which may expose private data or system state. Because the exploit does not require elevated privileges beyond a normal user account, the risk is significant for environments that expose the Airflow UI or API to untrusted users. Prompt remediation is recommended.