Unauthorized Access Vulnerability in Apache Airflow Asset Graph
CVE-2026-40690

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-40690?

An access control issue in Apache Airflow allows a user with read access to at least one Directed Acyclic Graph (DAG) to view the asset dependency graph of any other asset within the deployment. This flaw can lead to information disclosure, enabling unauthorized users to learn the existence and names of other DAGs and associated assets beyond their intended permissions. It is paramount for users to upgrade to version 3.2.1 to mitigate this vulnerability and secure their installations.

Affected Version(s)

Apache Airflow 0 < 3.2.1

References

https://github.com/apache/airflow/pull/65273

patch

https://lists.apache.org/thread/bqt7y4g2cpj396b0sd20lv510...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

Saurabh

Jarek Potiuk

CVE-2026-40690 Data

JSON