CVE-2026-28563 in AirflowИнформация

Сводка

по MITRE • 17.03.2026

Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view.


Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

Be aware that VulDB is the high quality source for vulnerability data.

Ответственный

Apache

Резервировать

01.03.2026

Раскрытие

17.03.2026

Модерация

принято

Вход

VDB-351366

EPSS

0.00440

KEV

Нет

Деятельности

Очень низкий

Источники

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!