Apache Airflow: DAG authorization bypass

GHSA-x3fv-96qh-67m7 · BIT-airflow-2026-28563 · CVE-2026-28563 · PYSEC-2026-15

Published Mar 17, 2026 · Modified Jun 5, 2026

Description

Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view.

Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-28563
WEB https://github.com/apache/airflow/pull/62046
PACKAGE https://github.com/apache/airflow
WEB https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-15.yaml
WEB https://lists.apache.org/thread/dwzf62qg9z8wvfsjknpfd8bvtwghd49s
WEB http://www.openwall.com/lists/oss-security/2026/03/17/5

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes