Access Control Vulnerability in Apache Airflow Product
CVE-2026-38743

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-38743?

The Apache Airflow product contains a vulnerability in the authenticated /ui/dags endpoint, which fails to enforce strict per-DAG access controls on Human-in-the-Loop (HITL) prompts and TaskInstance records. This oversight allows authenticated users with read access to at least one DAG to inadvertently access HITL prompts and full TaskInstance details from other DAGs for which they do not have authorization. Consequently, sensitive parameters and task-related context can be exposed, compromising the integrity of data visibility across DAG runs. It is crucial for users to update to version 3.2.1 or later to mitigate this risk.

Affected Version(s)

Apache Airflow 0 < 3.2.1

References

https://github.com/apache/airflow/pull/64822

patch

https://lists.apache.org/thread/sk2wj0x48o8qb4p7c47gvnhjb...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 6, 2026

Credit

Jed Cunningham

Kevin Yang

CVE-2026-38743 Data

JSON