Access Control Flaw in Apache Airflow Affects Viewer Role Permissions
CVE-2026-34538

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-34538?

The DagRun wait endpoint in Apache Airflow versions 3.0.0 through 3.1.8 incorrectly exposes XCom result values to users with the Viewer role. This role is designed for read-only access, yet users unnecessarily gain visibility into sensitive execution results, violating the intended security model. This issue compromises the FAB RBAC model, which treats XCom as a protected resource. Users are urged to upgrade to Apache Airflow 3.2.0 to rectify this vulnerability.

Affected Version(s)

Apache Airflow 3.0.0 < 3.2.0

References

https://github.com/apache/airflow/pull/64415

patch

https://lists.apache.org/thread/9mq3msqhmgjwdzbr6bgthj4br...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Mar 30, 2026

Credit

selen

Kevin Yang

CVE-2026-34538 Data

JSON