Information Disclosure Vulnerability in Apache Airflow Affects Multiple DAGs in Source Files
CVE-2026-49296
Currently unrated
What is CVE-2026-49296?
Prior to version 3.3.0 of Apache Airflow, an authorization flaw allowed a user with permission to view one Directed Acyclic Graph (DAG) to access the complete source code of other DAGs sharing the same source file. The API endpoint GET /api/v2/dagSources/{dag_id} and corresponding UI views failed to adequately restrict visibility to only those DAGs the user was authorized to view, thus circumventing critical per-DAG access controls. This vulnerability primarily impacts deployments where multiple DAGs are stored within a single file; those with single-DAG-per-file configurations remain unaffected. Users are advised to upgrade to Apache Airflow version 3.3.0 or newer to mitigate this risk.
Affected Version(s)
Apache Airflow 3.0.0 < 3.3.0