{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40690", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-04-15T01:09:30.824Z", "datePublished": "2026-04-24T12:35:33.289Z", "dateUpdated": "2026-04-24T16:20:27.315Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://pypi.python.org", "defaultStatus": "unaffected", "packageName": "apache-airflow", "product": "Apache Airflow", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "3.2.1", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Saurabh"}, {"lang": "en", "type": "remediation developer", "value": "Jarek Potiuk"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope.<br><br>Users are recommended to upgrade to version 3.2.1, which fixes this issue.<br>"}], "value": "The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes this issue."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1220", "description": "CWE-1220: Insufficient Granularity of Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-24T12:35:33.289Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/apache/airflow/pull/65273"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/bqt7y4g2cpj396b0sd20lv510ff19ndl"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users", "x_generator": {"engine": "airflow-s/generate_cve_json.py"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T14:54:08.675198Z", "id": "CVE-2026-40690", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T14:54:36.682Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/24/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-24T16:20:27.315Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/24/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-24T16:20:27.315Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-40690", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T14:54:08.675198Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T14:52:57.661Z"}}], "cna": {"title": "Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Saurabh"}, {"lang": "en", "type": "remediation developer", "value": "Jarek Potiuk"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Airflow", "versions": [{"status": "affected", "version": "0", "lessThan": "3.2.1", "versionType": "semver"}], "packageName": "apache-airflow", "collectionURL": "https://pypi.python.org", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/apache/airflow/pull/65273", "tags": ["patch"]}, {"url": "https://lists.apache.org/thread/bqt7y4g2cpj396b0sd20lv510ff19ndl", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "airflow-s/generate_cve_json.py"}, "descriptions": [{"lang": "en", "value": "The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes this issue.", "supportingMedia": [{"type": "text/html", "value": "The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope.<br><br>Users are recommended to upgrade to version 3.2.1, which fixes this issue.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1220", "description": "CWE-1220: Insufficient Granularity of Access Control"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-24T12:35:33.289Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40690", "state": "PUBLISHED", "dateUpdated": "2026-04-24T16:20:27.315Z", "dateReserved": "2026-04-15T01:09:30.824Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-24T12:35:33.289Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF856E9C-C3C2-44F3-B2B4-0DD0791C512C", "versionEndExcluding": "3.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope.\n\nUsers are recommended to upgrade to version 3.2.1, which fixes this issue."}], "id": "CVE-2026-40690", "lastModified": "2026-04-27T12:24:56.147", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-24T13:16:21.443", "references": [{"source": "security@apache.org", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/apache/airflow/pull/65273"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/bqt7y4g2cpj396b0sd20lv510ff19ndl"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/04/24/4"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1220"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.2.1)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache Airflow", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "airflow", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-28T14:21:07.106935+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Airflow to version 3.2.1 or later, ensuring that the asset graph view enforces DAG\u2011level permission checks in compliance with CWE\u20111220.", "Reevaluate all DAG read permissions and restrict them to only users who require access, thereby limiting the data exposed through the asset graph.", "Perform a targeted security review of permission mappings and audit logs to confirm that the asset graph endpoint respects user privileges and that no unauthorized DAG names or assets are exposed."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized disclosure of DAG names and related asset information"}, "threat_synthesis": {"affected_systems": "Apache Software Foundation\u2019s Apache Airflow deployments running a version earlier than 3.2.1 are impacted. The vulnerability exists across all builds of Airflow prior to the 3.2.1 release, which adds proper access\u2011control checks to the asset graph view.", "description_and_impact": "A flaw in Airflow\u2019s asset dependency graph layer allows a user who can read any single DAG to view the graph for all assets in the deployment. The interface fails to enforce the viewer\u2019s DAG\u2011read permissions, so the user can learn the existence and names of DAGs and assets that are outside the user\u2019s authorized scope. This creates a confidentiality risk where sensitive workflow definitions become visible to unauthorized staff.", "risk_and_exploitability": "The CVSS score of 4.3 rates the flaw as moderate. The EPSS score indicates a very low probability of exploitation, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires a legitimate authenticated session with at least read access to one DAG, after which the attacker can view the entire asset graph via the web UI. It does not provide code execution or privilege escalation, but it allows information leakage if an insider or compromised account is used. The risk is therefore primarily lateral data disclosure rather than system compromise."}}}}, "created": "2026-04-27T21:00:11.928604+00:00", "updated": "2026-04-28T14:30:33.747625+00:00", "vendors": ["apache", "apache$PRODUCT$airflow"]}