CVE-2026-41014
MEDIUM4.3Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints
發布日:2026/6/5修改日:2026/6/5
也稱為:BIT-airflow-2026-41014PYSEC-2026-182
描述
The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping while granting users broader Asset access. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
受影響套件(1)
- Bitnami/airflow>= 3.2.0, < 3.2.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |