Data Exposure in Apache Airflow UI due to Permission Check Flaw
CVE-2026-40963

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-40963?

A flaw in the structure_data endpoint of the Apache Airflow UI permits authenticated users to access external dependency graph nodes for linked Directed Acyclic Graphs (DAGs). This occurs without verifying if the user has permission to view those linked DAGs. Consequently, a user authorized for one DAG can enumerate linked DAG IDs along with their dependency metadata from other DAGs they are not permitted to access. This poses significant risks for organizations relying on stringent per-DAG read permissions to maintain the confidentiality of their DAG dependency architecture across different teams. Users should upgrade to Apache Airflow version 3.2.2 or later to mitigate this vulnerability.

Affected Version(s)

Apache Airflow 3.0.0 < 3.2.2

References

https://github.com/apache/airflow/pull/65342

patch

https://lists.apache.org/thread/s907bhsksc37m59f0loqjcp1r...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
Apr 16, 2026

Credit

Masamune - Unit515 OPSWAT

Jarek Potiuk

CVE-2026-40963 Data

JSON