CVE-2026-28563

MEDIUM4.3EPSS 0.04%

Apache Airflow: DAG authorization bypass

Published: 3/17/2026Modified: 5/20/2026

Also known as:GHSA-x3fv-96qh-67m7BIT-airflow-2026-28563PYSEC-2026-15

Description

Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

Affected packages (3)

Bitnami/airflow>= 3.0.0, < 3.1.8
PyPI/apache-airflow>= 3.0.0, < 3.1.8
PyPI/apache-airflow>= 3.0.0, < 3.1.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-28563
PATCHhttps://github.com/apache/airflow
WEBhttps://github.com/apache/airflow/pull/62046
WEBhttps://lists.apache.org/thread/dwzf62qg9z8wvfsjknpfd8bvtwghd49s
WEBhttp://www.openwall.com/lists/oss-security/2026/03/17/5