Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2f22794d-cda0-088a-7016-24b88adc3f12@apache.org>
Date: Tue, 07 Jul 2026 08:28:19 +0000
From: Rahul Vats <rahulvats@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-49296: Apache Airflow: Per-DAG read bypass discloses
 co-located DAGs' source via GET /api/v2/dagSources/{dag_id} 

Severity: low 

Affected versions:

- Apache Airflow (apache-airflow) 3.0.0 before 3.3.0

Description:

Before apache-airflow 3.3.0, a user authorized to read one Dag could disclose the source of other Dags co-located in the same source file. `GET /api/v2/dagSources/{dag_id}` — and the equivalent Dag-source view in the UI — returned the entire source file without redacting Dags the caller was not authorized to read, bypassing per-DAG read authorization. Deployments that co-locate multiple Dags in a single file and rely on per-DAG access control to limit source visibility are affected; single-Dag-per-file deployments are not. Upgrade to apache-airflow 3.3.0 or later.

Credit:

Matteo Panzeri (Università di Pavia), GitHub @matte1782 (finder)
Jarek Potiuk (remediation developer)

References:

https://github.com/apache/airflow/pull/67662
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-49296

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.