Apache Airflow: Assigning single DAG permission leaked all DAGs Import...

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

Apache Airflow versions before 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to.

Users are advised to upgrade to 3.1.7 or later, which resolves this issue

Basic Information

ID CVE-2026-24098

Source apache

Published Feb 9, 2026 at 10:32

Modified Feb 9, 2026 at 15:29

Affected Product

Vendor Apache Software Foundation

Product Apache Airflow

Affected Versions Apache Software Foundation Apache Airflow 0

CWE Classification

CWE-200

References

{
    "lastseen": "",
    "description": "Apache Airflow versions before 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. \n\nUsers are advised to upgrade to 3.1.7 or later, which resolves this issue",
    "published": "2026-02-09T10:32:53.910Z",
    "modified": "2026-02-09T15:29:40.555Z",
    "type": "cve",
    "title": "Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors",
    "source": "apache",
    "references": "https://github.com/apache/airflow/pull/60801\nhttps://lists.apache.org/thread/nx96435v77xdst7ls5lk57kqvqyj095x",
    "id": "CVE-2026-24098",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Airflow 0",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Airflow",
    "version": "0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors_CVE-2026-24098