Information Disclosure Vulnerability in Apache Airflow Affects Multiple DAGs in Source Files
CVE-2026-49296

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
7 July 2026

What is CVE-2026-49296?

Prior to version 3.3.0 of Apache Airflow, an authorization flaw allowed a user with permission to view one Directed Acyclic Graph (DAG) to access the complete source code of other DAGs sharing the same source file. The API endpoint GET /api/v2/dagSources/{dag_id} and corresponding UI views failed to adequately restrict visibility to only those DAGs the user was authorized to view, thus circumventing critical per-DAG access controls. This vulnerability primarily impacts deployments where multiple DAGs are stored within a single file; those with single-DAG-per-file configurations remain unaffected. Users are advised to upgrade to Apache Airflow version 3.3.0 or newer to mitigate this risk.

Affected Version(s)

Apache Airflow 3.0.0 < 3.3.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Matteo Panzeri (UniversitĂ  di Pavia), GitHub @matte1782
Jarek Potiuk
.