wid-sec-w-2026-0755 · Published 2026-03-16 · View on BSI CERT-Bund ↗

Apache Airflow: Multiple Vulnerabilities

CVSS 8.1 HIGH

Risk Summary

Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to "~" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue. Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.

CVEs (4)

CVE-2026-26929 CVE-2026-28563 CVE-2026-28779 CVE-2026-30911

Affected Vendors

Apache

Affected Products (2)

Apache · Airflow <3.1.8

Apache · Airflow 3.1.8

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more