{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26929", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-02-16T12:58:50.649Z", "datePublished": "2026-03-17T10:54:05.523Z", "dateUpdated": "2026-03-17T15:40:38.428Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://pypi.python.org", "defaultStatus": "unaffected", "packageName": "apache-airflow", "product": "Apache Airflow", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "3.1.8", "status": "affected", "version": "3.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "remediation developer", "value": "Pierre Jeambrun"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Apache Airflow versions 3.0.0 through 3.1.7<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to \"~\" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned.</span><br><br><br>Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.<br><br><br>"}], "value": "Apache Airflow versions 3.0.0 through 3.1.7\u00a0FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to \"~\" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned.\n\n\nUsers are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-03-17T10:54:05.523Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/apache/airflow/pull/61675"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Airflow: Wildcard DagVersion Listing Bypasses Per\u2011DAG RBAC and Leaks Metadata", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/17/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-17T13:31:59.997Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T15:40:34.971798Z", "id": "CVE-2026-26929", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T15:40:38.428Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/17/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-17T13:31:59.997Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26929", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-17T15:40:34.971798Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T13:37:34.145Z"}}], "cna": {"title": "Apache Airflow: Wildcard DagVersion Listing Bypasses Per\u2011DAG RBAC and Leaks Metadata", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "remediation developer", "value": "Pierre Jeambrun"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Airflow", "versions": [{"status": "affected", "version": "3.0.0", "lessThan": "3.1.8", "versionType": "semver"}], "packageName": "apache-airflow", "collectionURL": "https://pypi.python.org", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/apache/airflow/pull/61675", "tags": ["patch"]}, {"url": "https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Apache Airflow versions 3.0.0 through 3.1.7\u00a0FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to \"~\" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned.\n\n\nUsers are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.", "supportingMedia": [{"type": "text/html", "value": "Apache Airflow versions 3.0.0 through 3.1.7<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to \"~\" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned.</span><br><br><br>Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.<br><br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-732", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-03-17T10:54:05.523Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26929", "state": "PUBLISHED", "dateUpdated": "2026-03-17T15:40:38.428Z", "dateReserved": "2026-02-16T12:58:50.649Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-03-17T10:54:05.523Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "A355B3D5-BAA7-4680-879B-55D6E3D52D68", "versionEndExcluding": "3.1.8", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache Airflow versions 3.0.0 through 3.1.7\u00a0FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to \"~\" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned.\n\n\nUsers are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue."}], "id": "CVE-2026-26929", "lastModified": "2026-03-17T16:16:20.530", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-17T11:16:11.490", "references": [{"source": "security@apache.org", "tags": ["Issue Tracking"], "url": "https://github.com/apache/airflow/pull/61675"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.apache.org/thread/g5o6khx83jwqvdyn0mlyb0krt35cs9ss"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/03/17/4"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.1.8)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache Airflow", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "airflow", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-03-17T17:14:57.689254+00:00", "value": {"mitigation_remediation": ["Update to Apache Airflow 3.1.8 or later"], "summary": {"action": "Patch", "impact": "Data Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Apache Airflow products from the Apache Software Foundation. Specifically, all releases from version 3.0.0 up to and including 3.1.7 are impacted. Users running any of these affected releases should verify their software version to determine whether they are exposed.", "description_and_impact": "Apache Airflow versions 3.0.0 through 3.1.7 expose a wildcard DagVersion listing API that does not apply per\u2011DAG authorization when the request sets dag_id to \"~\". This flaw, identified as CWE\u2011732 (Incorrect Authorization), allows an attacker to retrieve version metadata for DAGs that the requester is not allowed to see, thereby leaking potentially sensitive information about the system\u2019s data pipelines. The primary impact is a compromise of confidentiality, as the attacker gains unauthorized visibility into DAG metadata and version history.", "risk_and_exploitability": "The CVSS score of 6.5 classifies the issue as moderate severity. The EPSS score of less than 1% indicates a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated API request to the FastAPI DagVersion endpoint, suggesting a network\u2011based attack vector that leverages legitimate Airflow credentials. While the risk is moderate, the low exploitation probability and the limited scope to metadata leakage imply that urgent action is still advisable, especially for environments exposing Airflow\u2019s API externally."}}}}, "created": "2026-03-18T12:13:28.476939+00:00", "updated": "2026-03-24T10:49:23.568557+00:00", "vendors": ["apache", "apache$PRODUCT$airflow"]}