GHSA-4m3h-wp5w-5hqhHighCVSS 7.5

Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata

Published
March 17, 2026
Last Modified
June 5, 2026

🔗 CVE IDs covered (1)

📋 Description

Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to "~" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned.

Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

🎯 Affected products1

  • pip/apache-airflow:>= 3.0.0, < 3.1.8

🔗 References (6)