Access Control Flaw in Apache Airflow UI Affects User Permissions
CVE-2026-41014

4.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-41014?

The partitioned_dag_runs endpoints within the Apache Airflow UI exhibit an access control issue where users with global Asset:read permissions can access and enumerate run states, schedule configurations, and asset wiring for Dags that they should not have access to. This vulnerability compromises the intended per-Dag read authorization when broader Asset permissions are granted, potentially exposing sensitive information to unauthorized users. It is recommended that affected installations upgrade to Apache Airflow version 3.2.2 or later to mitigate this issue.

Affected Version(s)

Apache Airflow 3.2.0 < 3.2.2

References

https://github.com/apache/airflow/pull/65344

patch

https://lists.apache.org/thread/12nbzwwby7g883w2j13gn7ny1...

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
Apr 16, 2026

Credit

Yalguun Tumenkhuu (fg0x0)

Jarek Potiuk

CVE-2026-41014 Data

JSON