CVE-2026-28563

MEDIUM4.3EPSS 0.04%

Apache Airflow: DAG authorization bypass

發布日:2026/3/17修改日:2026/5/20

也稱為:GHSA-x3fv-96qh-67m7BIT-airflow-2026-28563PYSEC-2026-15

描述

Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

受影響套件(3)

Bitnami/airflow>= 3.0.0, < 3.1.8
PyPI/apache-airflow>= 3.0.0, < 3.1.8
PyPI/apache-airflow>= 3.0.0, < 3.1.8

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-28563
PATCHhttps://github.com/apache/airflow
WEBhttps://github.com/apache/airflow/pull/62046
WEBhttps://lists.apache.org/thread/dwzf62qg9z8wvfsjknpfd8bvtwghd49s
WEBhttp://www.openwall.com/lists/oss-security/2026/03/17/5