{“lastseen”:””,”description”:”The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI\/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping to keep Dag dependency topology private across teams. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.”,”published”:”2026-06-01T07:54:33.704Z”,”modified”:”2026-06-01T14:18:37.838Z”,”type”:”cve”,”title”:”Apache Airflow: DAG authorization bypass on \/ui\/structure\/structure_data”,”source”:”apache”,”references”:”https:\/\/github.com\/apache\/airflow\/pull\/65342\\nhttps:\/\/lists.apache.org\/thread\/s907bhsksc37m59f0loqjcp1ryobrr60″,”id”:”CVE-2026-40963″,”bulletinFamily”:””,”cwe”:[“CWE-285″],”cvelist”:null,”sourceData”:”Apache Software Foundation Apache Airflow 3.0.0″,”sourceHref”:””,”cvss”:{“score”:3.1,”severity”:”LOW”,”vector”:”CVSS:3.1\/AV:N\/AC:H\/PR:L\/UI:N\/S:U\/C:L\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Apache Airflow”,”version”:”3.0.0″,”vendor”:”Apache Software Foundation”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,133,12,71,13,7,11,5],"class_list":["post-58859","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-31","tag-exploit","tag-low","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n